Information Security News | AI Aggregator

Please be mindful of possible hallucinations. Verify information prior to taking action.
Renault UK Customer Records Stolen in Third-Party Breach
Date: 2025-10-02 | Source: Hack Read
Renault UK has informed customers of a potential data compromise following a cyberattack on a third-party service provider. While Renault's systems were not breached, personal data such as names, contact details, and vehicle information may have been exposed. The company is taking remediation steps and cooperating with authorities. Renault emphasizes that no financial information was affected and advises customers to be cautious of unsolicited requests for personal information.
Renault UK Customer Records Stolen in Third-Party Breach
2025-10-03 | The Register: Criminals take Renault UK customer data for a joyride
Renault UK customers have been alerted that their personal data may have been compromised following a cyberattack on a third-party supplier. The breach involved customer names, gender, phone numbers, email and postal addresses, and vehicle registration numbers, but no financial data was accessed. Renault confirmed that its own systems were not compromised and has reported the incident to regulators. Customers are advised to be cautious of unsolicited requests for personal information.
2025-10-03 | DIGIT: Renualt UK Customers Personal Data Breached in Third-party Hack
Hackers breached a third-party data processing partner of Renault Group UK, compromising personal data of UK customers, including names, gender, phone numbers, addresses, dates of birth, vehicle registration details, and identification numbers. Financial details and passwords were not affected. The number of impacted customers is unknown. Renault is contacting affected individuals and advising caution against unsolicited requests for personal information. The breach follows other recent incidents affecting various brands.
2025-10-03 | Cybersecurity Dive: Renault Group confirms certain UK customer data stolen in third-party breach
Renault Group confirmed that certain U.K. customer data was stolen in a cyberattack on a third-party data processing provider. The breach involved personal contact and vehicle information, but no financial data was compromised. Renault has contacted relevant authorities, including the U.K. Information Commissioner’s Office, and is notifying affected customers to be cautious of unsolicited contact. The incident highlights ongoing cybersecurity challenges in the automotive sector, following similar attacks on Jaguar Land Rover and Stellantis.
Cybercrims claim raid on 28,000 Red Hat repos, say they have sensitive customer files
Date: 2025-10-02 | Source: The Register
A hacking group named "the Crimson Collective" claims to have breached Red Hat's private GitHub repositories, stealing approximately 570GB of data, including sensitive Customer Engagement Reports (CERs) from over 28,000 internal repos. These documents contain critical infrastructure details for major organizations. The attackers assert they have used stolen authentication tokens to compromise downstream customers. Red Hat has not confirmed the breach or responded to extortion demands. Concerns are heightened due to a critical vulnerability in Red Hat's OpenShift AI platform.
Cybercrims claim raid on 28,000 Red Hat repos, say they have sensitive customer files
2025-10-02 | Security Affairs: Cybercrime group claims to have breached Red Hat ‘s private GitHub repositories
On October 2, 2025, the Crimson Collective claimed to have breached Red Hat's private GitHub repositories, stealing 570GB of data, including 28,000 projects and 800 Customer Engagement Reports (CERs) containing sensitive network information. The group shared proof of the breach on Telegram, including a file tree with references to major organizations. Red Hat confirmed the breach but stated it does not affect other services or products and has initiated remediation steps.
2025-10-02 | TechRadar: Red Hat confirms major data breach after hackers claim mega haul
Red Hat confirmed a significant data breach involving the hacking group Crimson Collective, which claims to have stolen 570GB from 28,000 internal projects on Red Hat's GitHub. The hackers allege they accessed 800 Customer Engagement Records containing sensitive infrastructure data. Red Hat acknowledged the breach but could not verify the claims regarding stolen CERs. The attack reportedly occurred two weeks prior, affecting numerous high-profile clients, though Red Hat asserts no other services were impacted.
2025-10-02 | 404 Media: Red Hat Investigating Breach Impacting as Many as 28,000 Customers, Including the Navy and Congress
A hacking group, the Crimson Collective, claims to have breached Red Hat's private GitHub repositories, extracting 570 GB of data affecting approximately 28,000 customers, including the US Navy and Congress. Red Hat confirmed the incident and is taking remediation steps, asserting no impact on other services. The compromised data includes customer engagement reports (CERs) that detail clients' tech infrastructures. The hackers allege they also accessed some clients' infrastructures and attempted to contact Red Hat without response.
2025-10-02 | Help Net Security: Hackers claim to have plundered Red Hat’s GitLab repos
The Crimson Collective claims to have accessed and exfiltrated data from over 28,000 internal GitHub repositories of Red Hat, including sensitive information such as credentials, CI/CD secrets, and infrastructure blueprints. The compromised data reportedly involves major clients like Citi, Verizon, and the U.S. Senate. Red Hat is investigating the incident and has initiated remediation steps, asserting no impact on other services or the integrity of their software supply chain.
2025-10-02 | Cyberscoop: Red Hat confirms breach of GitLab instance, which stored company’s consulting data
Red Hat confirmed a breach of its GitLab instance used by its consulting team, resulting in the theft of data, including project specifications and internal communications. The cybercrime group Crimson Collective claimed responsibility, stating they stole over 28,000 repositories. The Centre for Cybersecurity Belgium warned of high risks, potentially exposing sensitive information. Red Hat stated that no sensitive personal data has been identified as compromised and is notifying affected customers directly.
2025-10-03 | The Register: Red Hat fesses up to GitLab breach after attackers brag of data theft
Red Hat confirmed a breach of its consulting GitLab system, where an unauthorized third party accessed and copied data. The Crimson Collective claimed to have stolen hundreds of Customer Engagement Reports, which may contain sensitive information. Red Hat has engaged security experts and notified law enforcement but has not disclosed the specifics of the data taken or how access was gained. Belgium's cybersecurity authority warned of potential supply chain risks and advised organizations to revoke shared credentials.
Researchers uncover spyware targeting messaging app users in the UAE
Date: 2025-10-02 | Source: Recorded Future
Researchers from ESET have identified spyware campaigns, ProSpy and ToSpy, targeting users of messaging apps in the UAE. These campaigns utilize fake apps masquerading as Signal and ToTok, installed via deceptive websites and app stores. The spyware can steal sensitive data, including contacts and chat backups, while maintaining the appearance of legitimate apps. Ongoing command-and-control servers indicate the ToSpy campaign is active, with detections dating back to June 2023 and ProSpy believed to have started in 2024.
Researchers uncover spyware targeting messaging app users in the UAE
2025-10-02 | Help Net Security: ProSpy and ToSpy: New spyware families impersonating secure messaging apps
ESET researchers discovered two Android spyware families, ProSpy and ToSpy, targeting users seeking secure messaging apps like Signal and ToTok. Distributed via fake websites, these spyware apps require manual installation and exfiltrate sensitive data from compromised devices. ProSpy was identified in June 2025, while ToSpy likely began in mid-2022. Both campaigns primarily target users in the UAE. Users are advised to avoid unofficial app sources and to be cautious with permissions during installation.
2025-10-02 | The Hacker News: Warning: Beware of Android Spyware Disguised as Signal Encryption Plugin and ToTok Pro
Cybersecurity researchers from ESET have identified two Android spyware campaigns, ProSpy and ToSpy, targeting users in the U.A.E. These malicious apps impersonate Signal and ToTok, distributed via fake websites. ProSpy, active since June 2025, uses deceptive sites to deliver spyware disguised as app upgrades. ToSpy, ongoing since June 30, 2022, employs similar tactics. Both spyware strains exfiltrate sensitive data and maintain persistence through background services. Users are advised to avoid unofficial app sources.
2025-10-02 | Cyberscoop: Android spyware disguised as legitimate messaging apps targets UAE victims, researchers reveal
Researchers at ESET uncovered two Android spyware families, ProSpy and ToSpy, masquerading as messaging apps Signal and ToTok, targeting UAE residents. Discovered in June but believed to date back to last year, the spyware requests extensive permissions upon installation, allowing data exfiltration. Neither app was available in official stores, requiring manual installation from deceptive third-party sites. The campaigns likely focus on privacy-conscious users in the UAE, leveraging the popularity of ToTok.
2025-10-03 | Security Affairs: ProSpy, ToSpy malware pose as Signal and ToTok to steal data in UAE
Researchers uncovered two Android spyware campaigns, ProSpy and ToSpy, targeting users in the UAE by impersonating Signal and ToTok apps. Both malware are distributed via fake websites and social engineering tactics, requiring manual installation. ProSpy, active since 2024, exfiltrates sensitive data after requesting permissions. ToSpy, detected in June 2025, also targets ToTok users. Both maintain persistence through background services and are designed to minimize user awareness. Users are advised to avoid unofficial app sources.
2025-10-03 | TechRadar: Android spyware pretends to be Signal or ToTok update to fool victims - here's how to stay safe
Android users in the UAE are targeted by ProSpy and ToSpy malware campaigns that spoof Signal and ToTok apps to distribute malware. Disguised as legitimate updates, the malware exfiltrates SMS, contacts, and files. It requests access to sensitive data and renames itself to 'Play Services' to evade detection. Users are advised to download apps only from official sources like the Google Play Store to avoid infection. ESET has tracked these campaigns since June 2025, suspecting they began in 2024.
Oracle customers being bombarded with emails claiming widespread data theft
Date: 2025-10-02 | Source: Cyberscoop
Attackers linked to the Clop ransomware group are targeting Oracle customers with extortion emails, claiming data theft from the E-Business Suite. Investigations are ongoing to verify these claims, which originated from compromised third-party accounts. The emails, sent to executives, do not specify demands but urge victims to negotiate. While the tactics align with Clop's methods, no evidence of a successful breach or specific malware has been identified. Researchers are assessing the potential impact on affected organizations.
Oracle customers being bombarded with emails claiming widespread data theft
2025-10-02 | Times Now: Google Issues Warning As Hackers Target Executives With Extortion Emails: All You Need To Know
Google has warned organizations about a rise in cyber extortion emails targeting executives, with attackers claiming to have stolen sensitive data from Oracle’s E-Business Suite. The emails demand ransom to prevent data release, and the group is linked to the Cl0p ransomware gang. Google stated there is no verified evidence of data theft, urging caution as the emails may be scare tactics. This warning highlights the increasing focus of ransomware groups on high-value corporate systems, emphasizing the need for enhanced cybersecurity measures.
2025-10-02 | TechRadar: Ransomware hackers claim Oracle app breach, tell victims their data has been stolen
Hackers claim to have stolen data from Oracle E-Business Suite, demanding ransom from executives. This campaign, linked to FIN11 and possibly Cl0p, involves emails sent from hundreds of compromised accounts. Although the claims of data theft remain unsubstantiated, researchers advise organizations to check Oracle logs for suspicious activity. The campaign began on or before September 29, 2025, and is under investigation by Mandiant and Google’s Threat Intelligence Group.
2025-10-02 | The Hacker News: Google Mandiant Probes New Oracle Extortion Wave Possibly Linked to Cl0p Ransomware
Google Mandiant is investigating a new extortion campaign possibly linked to the Cl0p ransomware group, targeting executives with emails claiming to have stolen data from Oracle E-Business Suite. This activity began on or before September 29, 2025, and involves a high-volume email campaign from compromised accounts, some associated with FIN11. While similarities to Cl0p tactics exist, Google has not confirmed direct ties. Organizations are urged to investigate for potential threat actor activity.
2025-10-02 | The Register: Clop-linked crims shake down Oracle execs with data theft claims
Criminals linked to the Clop ransomware group are extorting Oracle executives via emails, claiming to have stolen sensitive data from Oracle's E-Business Suite. This high-volume activity began on or before September 29, 2025, but researchers from Google and Mandiant have not confirmed any breach or vulnerability in Oracle's systems. The extortion attempts leverage Clop's brand recognition, raising concerns about potential access to sensitive enterprise data, though the claims remain unverified.
2025-10-02 | Help Net Security: Oracle customers targeted with emails claiming E-Business Suite breach, data theft
Unknown attackers, claiming to be affiliated with the Cl0p extortion gang, are targeting Oracle E-Business Suite users with emails alleging data theft. This high-volume campaign began in late September 2025, utilizing compromised accounts linked to the FIN11 threat group. Ransom demands are reportedly in the seven to eight figures, with unverified proof of compromise shared. Organizations are advised to investigate potential threats and prepare response teams, treating the claims as credible until validated.
2025-10-02 | Infosecurity Magazine: Extortion Emails Sent to Executives by Self-Proclaimed Clop Gang Member
Since September 29, extortion emails have been sent to executives by individuals claiming affiliation with the Clop ransomware group, alleging theft of sensitive data from Oracle E-Business Suite. Mandiant and Google Threat Intelligence are investigating, noting a high-volume campaign from compromised accounts, some linked to the FIN11 group. The emails include contact information matching addresses on the Clop data leak site, suggesting a possible association, though attribution remains complex. Organizations are advised to investigate for threat actor activity.
2025-10-02 | TechCrunch: Hackers are sending extortion emails to executives after claiming Oracle apps’ data breach
Hackers linked to the Clop ransomware group are sending extortion emails to executives at numerous large organizations, claiming to have stolen sensitive data from Oracle's business software. This campaign began around September 29, with emails sent from compromised accounts. The hackers reportedly demanded up to $50 million from victims. They exploited compromised user emails and the default password-reset function to access Oracle E-Business Suite web-portals. Oracle has not commented on the situation.
2025-10-02 | Cybersecurity Dive: Hackers claiming ties to Clop launch wide extortion campaign targeting corporate executives
Hackers claiming ties to the Clop ransomware gang are targeting corporate executives in an email extortion campaign, demanding payment for allegedly stolen data from Oracle E-Business Suite applications. Security researchers from Google and Kroll have linked the campaign to the financially motivated group FIN11. The extortion began earlier this week, with emails sent from compromised accounts. Clop is known for exploiting vulnerabilities in MOVEit and Cleo file transfer software, affecting companies like Hertz and WK Kellogg.
2025-10-02 | Recorded Future: Cybercriminals are trying to extort executives with data allegedly stolen through Oracle tool
Cybercriminals, potentially linked to the Clop ransomware gang, are extorting corporate executives by threatening to leak data allegedly stolen from Oracle's E-Business Suite. Mandiant and Google Threat Intelligence Group reported the campaign began on September 29, involving high-volume emails sent from compromised accounts. While the hackers claim affiliation with Clop, Mandiant has not confirmed the validity of these claims. Clop has previously exploited vulnerabilities in file transfer tools, impacting thousands of organizations.
2025-10-02 | Cyberscoop: Here is the email Clop attackers sent to Oracle customers
Clop ransomware group sent extortion emails to Oracle customers, claiming to have breached their Oracle E-Business Suite and threatening to publish stolen data unless a ransom is paid. The emails, sent from compromised accounts, aim to intimidate recipients and create urgency. The attackers assert they are not politically motivated and promise to delete the data post-payment. Researchers have not confirmed a breach, and Oracle has not publicly commented on the situation.
2025-10-03 | CSO Online: Oracle E-Business Suite users targeted in extortion campaign
Threat actors linked to the Cl0p gang are targeting Oracle E-Business Suite users in an extortion campaign, claiming to have stolen sensitive data. This activity began on or before September 29, 2025, with ransom demands reaching up to $50 million. Researchers from Halcyon, Google, and Mandiant are monitoring the situation, as the attackers provide proofs of compromise, including screenshots and file trees, to substantiate their claims.
2025-10-03 | Security Affairs: Google warns of Cl0p extortion campaign against Oracle E-Business users
Google warns of a Cl0p ransomware extortion campaign targeting Oracle E-Business Suite users, with demands reaching up to $50 million. The group claims to have stolen sensitive data and provided proof of compromise. Attackers likely exploited default password reset vulnerabilities and hacked user emails. Mandiant reports that at least one company confirmed data theft. The campaign began on or before September 29, 2025, and involves mass extortion using compromised accounts, some linked to the FIN11 group.
2025-10-03 | Infosecurity Magazine: Hackers Target Unpatched Flaws in Oracle E-Business Suite
Hackers are exploiting unpatched vulnerabilities in Oracle E-Business Suite (EBS), as warned by Oracle and the Google Threat Intelligence Group. Executives from several companies have received extortion emails claiming sensitive data theft from EBS. Oracle's CSO, Rob Duhart, confirmed the investigation into these vulnerabilities, urging customers to apply patches from the July 2025 Critical Patch Update, which addressed 309 vulnerabilities, including nine specific to EBS, three of which are critical.
2025-10-03 | The Register: Oracle tells Clop-targeted EBS users to apply July patch, problem solved
Oracle confirmed that some E-Business Suite (EBS) users are being targeted by cybercriminals linked to the Clop ransomware gang, who claim to have stolen sensitive data. The attackers exploit vulnerabilities addressed in Oracle's July 2025 Critical Patch Update. Mandiant and Google's Threat Intelligence Group report no evidence of Oracle's compromise, but Halcyon warns that thousands of organizations may be at risk due to configuration issues and lack of MFA. Ransom demands reach up to $50 million.
2025-10-03 | Hack Read: Cl0p-Linked Gang Attempts to Extort Oracle E-Business Customers
A group linked to the Cl0p ransomware gang is extorting Oracle E-Business Suite customers, threatening to expose allegedly stolen data. This email campaign began on or before September 29, 2025, prompting investigations by Mandiant and Google Threat Intelligence Group. The emails use addresses associated with Cl0p, but the claims of a data breach remain unverified. Oracle is aware and investigating, noting potential exploitation of vulnerabilities addressed in the July 2025 Critical Patch Update.
2025-10-03 | Cybersecurity Dive: Oracle investigating extortion emails targeting E-Business Suite customers
Oracle is investigating extortion emails targeting its E-Business Suite customers, potentially linked to vulnerabilities disclosed in July. Hackers, claiming affiliation with the Clop ransomware gang, have sent emails to executives threatening data theft. Oracle's CSO urged customers to review and patch their systems. Researchers from Google and Kroll confirmed the emails align with previous Clop communications and advised organizations to take the threats seriously and assess for data compromise.
2025-10-03 | Recorded Future: Oracle links extortion campaign to bugs addressed in July patch
Oracle confirmed that numerous customers received extortion emails from the Clop ransomware gang, demanding payment to prevent the release of stolen data. The investigation revealed potential exploitation of vulnerabilities addressed in the July 2025 Critical Patch Update. Incident responders noted the campaign likely began on September 29, with ransom demands reaching seven to eight figures. Clop provided evidence of data access, using tactics consistent with previous campaigns targeting file-sharing software.
UK government tries again to access encrypted Apple customer data: Report
Date: 2025-10-01 | Source: TechCrunch
The U.K. government has issued a new secret order demanding Apple create a backdoor to access encrypted iCloud data, as reported by the Financial Times. This follows a similar request made in January under the Investigatory Powers Act 2016, which led Apple to disable Advanced Data Protection (ADP) enrollment for U.K. users. Privacy advocates warn that compliance would jeopardize global user privacy. Apple has reiterated its stance against building backdoors into its products.
UK government tries again to access encrypted Apple customer data: Report
2025-10-01 | BBC News: Government issues new data demand for UK Apple users
The UK government has issued a new order allowing access to the personal data of Apple users in Britain, contingent on appropriate warrants for national security threats. This follows a dispute with Apple, which emphasizes its commitment to data privacy. The new directive replaces a broader order that angered the US government. Apple previously removed its Advanced Data Protection tool from the UK and is involved in ongoing legal proceedings, with a tribunal hearing scheduled for January 2026.
2025-10-01 | The Guardian: UK government resumes row with Apple by demanding access to British users’ data
The UK government has renewed its demand for Apple to provide access to encrypted cloud backups of British users, issuing a technical capability notice (TCN). This follows Apple's withdrawal of its advanced data protection (ADP) service for UK users. Apple has stated it will not create a backdoor for its products, emphasizing its commitment to user security. Privacy International warns that forcing Apple to compromise encryption could create vulnerabilities exploited by malicious actors globally.
2025-10-02 | DIGIT: UK Home Office Issues New Apple Backdoor Encryption Notice
The UK Home Office has issued a new notice demanding Apple create a backdoor for its encryption tool specifically for UK users, differing from previous global demands. Apple responded by withdrawing its Advanced Data Protection tool from the UK, increasing data risk for users. The Home Office has not confirmed the order's existence, while Apple has filed a lawsuit against it. Apple maintains it will not create any backdoor, emphasizing the importance of user privacy and the risks of compromising encryption.
3.7M breach notification letters set to flood North America's mailboxes
Date: 2025-10-01 | Source: The Register
A trio of companies reported data breaches affecting approximately 3.7 million individuals in North America. Allianz Life disclosed a breach impacting 1.4 million customers, with compromised data including names, addresses, dates of birth, and Social Security numbers. WestJet confirmed a June cyberattack exposed data of 1.2 million Americans, but no credit card information was compromised. Motility Software Solutions faced a ransomware attack affecting 766,670 individuals, with personal data potentially accessed. All companies are offering identity protection services.
3.7M breach notification letters set to flood North America's mailboxes
2025-10-02 | Recorded Future: Millions impacted by data breaches at insurance giant, auto dealership software firm
Allianz Life Insurance Company confirmed a data breach affecting 1.49 million customers on July 16, where hackers accessed a third-party CRM system, exposing personal information including names, addresses, and Social Security numbers. Separately, Motility reported a ransomware attack on August 19, affecting 766,670 individuals, with hackers stealing personal data before encrypting systems. The Pear ransomware gang claimed responsibility, stating they stole 4.3 TB from Motility's parent company.
2025-10-02 | Security Affairs: Allianz Life data breach impacted 1.5 Million people
On July 16, 2025, Allianz Life experienced a data breach affecting 1.5 million individuals, including names, addresses, birth dates, and Social Security numbers, due to unauthorized access to a third-party CRM via social engineering. The breach is linked to the ShinyHunters hacking group, which leaked sensitive data from Allianz's Salesforce instances. Allianz Life is offering two years of free Kroll Identity Monitoring to affected individuals. The investigation is ongoing, and the FBI has been notified.
2025-10-02 | TechRadar: Major data breach at dealership software firm exposes 766,000 clients - here's what we know
Motility Software Solutions experienced a ransomware attack on August 11, 2025, exposing sensitive data of 766,670 customers, including SSNs, driver’s licenses, and contact details. The breach was detected on August 19 after unusual server activity. While the malware restricted access to internal data, some personal information was likely stolen. Motility restored services using backups and is offering a year of free identity theft protection to affected individuals.
Red Hat Openshift AI Service Vulnerability Allow Attackers to Take Control of the Infrastructure
Date: 2025-10-01 | Source: Cyber Security News
Red Hat published security advisory CVE-2025-10725, revealing a critical privilege escalation vulnerability in OpenShift AI Service, with a CVSS score of 9.9. Low-privileged attackers can exploit an overly permissive ClusterRoleBinding to gain full cluster administrator access. Affected versions include OpenShift AI 2.19 (RHEL 8) and 2.21 (RHEL 9). Red Hat recommends immediate updates via errata RHBA-2025:16984 and RHBA-2025:16983, and suggests removing the problematic ClusterRoleBinding as a temporary workaround.
Red Hat Openshift AI Service Vulnerability Allow Attackers to Take Control of the Infrastructure
2025-10-01 | The Hacker News: Red Hat OpenShift AI Flaw Exposes Hybrid Cloud Infrastructure to Full Takeover
A severe security flaw in Red Hat OpenShift AI, tracked as CVE-2025-10725 with a CVSS score of 9.9, allows authenticated low-privileged attackers to escalate privileges to full cluster administrator, compromising confidentiality, integrity, and availability. Affected versions include OpenShift AI 2.19 and 2.21. Red Hat advises limiting permissions for system-level groups and granting job creation rights on a granular basis to adhere to the principle of least privilege.
2025-10-01 | The Register: 'Delightful' root-access bug in Red Hat OpenShift AI allows full cluster takeover
A critical vulnerability (CVE-2025-10725) in Red Hat's OpenShift AI service allows low-privileged authenticated users to escalate privileges and fully compromise the cluster. The flaw, rated 9.9/10 in severity, enables attackers to steal data and disrupt services. Red Hat recommends removing the ClusterRoleBinding linking the kueue-batch-user-role with the system:authenticated group and granting permissions on a granular basis. Urgent patching is advised to prevent exploitation.
2025-10-02 | CSO Online: Red Hat OpenShift AI weakness allows full cluster compromise, warns advisory
Red Hat has issued an advisory regarding a critical vulnerability in its OpenShift AI Service, identified as CVE-2025-10725, with a CVSS rating of 9.9. This flaw allows attackers to gain full control over a cluster and its applications. Although categorized as "Critical" by the US National Vulnerability Database, Red Hat rates it as "Important" since it requires minimal authentication for exploitation. OpenShift AI is a Kubernetes-based platform for managing large language models.
North Korea IT worker scheme expanding to more industries, countries outside of US tech sector
Date: 2025-09-30 | Source: Recorded Future
North Korea's illicit IT worker scheme is expanding beyond the U.S. tech sector, targeting various industries globally, including finance, healthcare, and government. A report by Okta reveals over 6,500 job interviews linked to 130 fake identities, with 27% of targets outside the U.S. The campaign poses risks to sensitive data, particularly in healthcare. Okta warns that North Korean actors may increasingly resort to ransomware and data theft as law enforcement disrupts their operations.
North Korea IT worker scheme expanding to more industries, countries outside of US tech sector
2025-09-30 | The Register: Fake North Korean IT workers sneaking into healthcare, finance, and AI
Fraudsters from North Korea are increasingly targeting non-tech sectors, with 48% of their job applications directed at healthcare, finance, and AI organizations, according to Okta Threat Intelligence. Over 130 identities linked to this scheme have been tracked, resulting in more than 6,500 job interviews. The report highlights a rise in applications to AI firms and healthcare roles, which could expose sensitive data. The primary goal remains financial gain, but data theft and extortion are also concerns.
2025-10-01 | Help Net Security: North Korea’s IT workers are targeting firms beyond tech, crypto, and the U.S.
North Korea's IT Workers (ITW) program is expanding its targets beyond U.S. tech and crypto firms to various sectors, including finance, healthcare, and public administration. Okta's research identified over 130 DPRK-linked identities conducting 6,500 interviews across 5,000+ companies, with 50% of targets outside tech. Recommendations for organizations include rigorous identity verification, advanced screening, least-privilege access, vendor safeguards, insider-threat programs, and collaboration with law enforcement.
2025-10-01 | DIGIT: North Korea’s Fake Worker Scheme Spreading to New Industries
North Korea's fake IT worker scheme is expanding into various industries beyond tech, including finance, healthcare, and public services, according to Okta Threat Intelligence. Tracking over 130 false identities, DPRK nationals applied for over 6,500 jobs across 5,000 companies, primarily targeting US firms (73%). The report emphasizes the need for enhanced identity verification and screening processes to mitigate insider threats, as these actors exploit remote job opportunities for high wages and access to valuable resources.
2025-10-01 | Chainalysis: DPRK IT Workers: Inside North Korea’s Crypto Laundering Network
North Korean IT workers are infiltrating global IT companies to earn cryptocurrency, funding the regime's weapons programs. Recent U.S. sanctions targeted individuals like Sim Hyon Sop and Lu Huaying, involved in laundering DPRK funds. Techniques include using VPNs, false identities, and decentralized exchanges to obscure transactions. Advisories from OFAC and the FBI highlight red flags for detection, urging companies to implement checks against potential DPRK worker activity to prevent sanctions evasion.
2025-10-02 | Cyberscoop: North Korea IT worker scheme swells beyond US companies
North Korean nationals are increasingly infiltrating various industries globally, not just technology, by concealing their identities to secure remote jobs. Okta's report indicates that these operatives have targeted over 5,000 companies, with 27% of roles outside the U.S., including the UK, Canada, and Germany. The scheme has expanded to finance and engineering positions, reflecting a 220% increase in activity. This poses a significant risk as non-U.S. companies may lack awareness and robust screening measures.
Smishing Campaigns Exploit Cellular Routers to Target Belgium
Date: 2025-09-30 | Source: Infosecurity Magazine
A wave of smishing attacks targeting Belgium has been linked to exploited Milesight Industrial Cellular Routers. Detected on July 22, 2025, these attacks used the routers' APIs to send phishing texts impersonating government services. Over 19,000 routers are publicly accessible, with 572 exposed to unauthenticated access. The campaigns, ongoing since February 2022, have also affected other countries. Sekoia.io emphasizes the need for vigilance against unsolicited messages and suspicious URLs to combat this evolving threat.
Smishing Campaigns Exploit Cellular Routers to Target Belgium
2025-10-01 | Risky.Biz: Risky Bulletin: Router APIs abused to send SMS spam waves
A threat actor is exploiting vulnerabilities in Milesight industrial cellular routers to send SMS spam (smishing) across several European countries since February 2022. The attackers leverage CVE-2023-43261, which allows them to access system logs and crack admin passwords to abuse the SMS API. Over 19,000 routers are vulnerable, with 572 exposed online without authentication. Most spam targets users in Sweden, Italy, and Belgium, containing phishing links to various services.
2025-10-01 | Cyber Security News: Hackers Exploit Cellular Router’s API to Send Malicious SMS Messages With Weaponized Links
Hackers are exploiting vulnerabilities in cellular routers' web-based management interfaces to send malicious SMS messages. By targeting exposed APIs, attackers can dispatch SMS containing weaponized links, leading to credential theft or malware downloads. This technique has been observed in August and September 2025, with spikes in SMS traffic from routers. Common issues include unchanged default credentials and outdated firmware. Recommendations include enforcing strong credentials, disabling unused SMS interfaces, and monitoring SMS traffic.
2025-10-01 | The Hacker News: Hackers Exploit Milesight Routers to Send Phishing SMS to European Users
Hackers are exploiting Milesight industrial cellular routers to send phishing SMS messages in a smishing campaign targeting users in Sweden, Italy, and Belgium since February 2022. The attackers utilize the routers' API to send malicious SMS with typosquatted URLs impersonating government and banking platforms. Of 18,000 routers, 572 are potentially vulnerable due to exposed APIs. The exploitation involves a now-patched flaw (CVE-2023-43261) and allows access to SMS features without authentication, complicating detection efforts.
Canadian airline WestJet says some customer data stolen in June cyberattack
Date: 2025-09-30 | Source: Cybersecurity Dive
WestJet reported that a cyberattack on June 13 resulted in the theft of certain customer data, including names, contact information, and reservation details. No credit card information or passwords were compromised. The airline is collaborating with forensic experts and various authorities, including Transport Canada and law enforcement, to investigate and enhance security measures. The attack coincided with a shift in tactics by the cybercrime group Scattered Spider, which has targeted the airline sector.
Canadian airline WestJet says some customer data stolen in June cyberattack
2025-10-01 | Security Affairs: WestJet confirms cyberattack exposed IDs, passports in June incident
WestJet confirmed a June cyberattack that exposed customer IDs and passports, impacting internal systems and its mobile app. The breach did not affect operational safety, but sensitive personal data was compromised. Affected individuals may have had their names, birthdates, and travel document details exposed, though no financial information was involved. WestJet is investigating with law enforcement and has offered free 24-month identity theft protection to affected customers.
2025-10-01 | TechCrunch: Data breach at Canadian airline WestJet affects 1.2M passengers
A data breach at WestJet, Canada’s second largest airline, has compromised the personal information of 1.2 million passengers. The breach, disclosed in a filing with Maine’s attorney general, includes names, dates of birth, postal addresses, and travel documents. Additionally, customer rewards information, such as points balances, may have been affected. The incident, linked to the hacking group Scattered Spider, was discovered in June when WestJet detected unauthorized access to its systems.
2025-10-01 | Recorded Future: 1.2 million people had information stolen during cyberattack on WestJet
WestJet confirmed that 1.2 million individuals had their information stolen during a cyberattack in June, attributed to the Scattered Spider group. The breach involved sensitive data, including names, addresses, travel documents, and rewards program details, but no passwords or credit card information were compromised. The airline is providing two years of identity monitoring services to victims. Investigations are ongoing with the FBI and Canadian authorities. Other airlines, including Qantas, also reported similar attacks.
2025-10-01 | Hack Read: WestJet Confirms Passenger IDs and Passports Stolen in Cyberattack
WestJet confirmed a cyberattack on June 13, 2025, exposing passenger IDs and passports. The breach involved unauthorized access to internal systems but did not compromise flight safety or sensitive financial data. Stolen information includes names, birth dates, addresses, and travel document details. WestJet is offering 24 months of complimentary identity theft monitoring through TransUnion. The airline is cooperating with law enforcement and regulatory bodies, urging affected individuals to monitor their accounts for suspicious activity.
Imgur blocks access to UK users after regulator warned of fine
Date: 2025-09-30 | Source: BBC News
Imgur has blocked access to UK users following a warning from the Information Commissioner's Office (ICO) about a potential fine related to age checks and children's data protection. Users in the UK now see an error message stating "content not available in your region." The ICO's investigation, initiated in March, found that Imgur did not require age declaration for account setup. The ICO issued a notice of intent to impose a fine on September 10, with the investigation ongoing.
Imgur blocks access to UK users after regulator warned of fine
2025-09-30 | DIGIT: Imgur Blocks UK Access Following ICO Investigation
Imgur has blocked access to its platform for UK users following an ICO investigation into its compliance with UK data protection laws regarding age checks and children's data. Users receive an error message stating content is unavailable in their region. The ICO proposed a fine on MediaLab AI, Imgur's parent company, after finding it did not verify user ages during account creation. Users can still exercise data protection rights, including data requests and account deletion.
2025-10-01 | Infosecurity Magazine: ICO: Imgur’s UK Decision Won’t Prevent Regulatory Fine
The UK’s Information Commissioner’s Office (ICO) stated that Imgur's decision to block access in the UK does not exempt it from regulatory scrutiny for past data protection violations. Imgur will restrict UK access from September 30, 2025, following concerns over its handling of children's data. The ICO issued a notice of intent to fine Imgur's parent company, MediaLab, on September 10, as part of an ongoing investigation into compliance with the Children’s Code under UK GDPR.
2025-10-01 | The Register: Imgur yanks Brit access to memes as parent company faces fine
The UK's Information Commissioner's Office (ICO) is investigating MediaLab, Imgur's parent company, for potential data protection law violations regarding children's data. Following the investigation, Imgur has blocked UK users, stating access will cease entirely by September 30, 2025. Users can still request their data under UK GDPR. ICO emphasizes that exiting the UK does not exempt companies from accountability for past infringements, and safeguarding children's data remains a priority.
Gemini Trifecta Highlights Dangers of Indirect Prompt Injection
Date: 2025-09-30 | Source: Infosecurity Magazine
Experts have identified three vulnerabilities in Google Gemini, termed the "Gemini Trifecta," which allow indirect prompt injection and data exfiltration. The first vulnerability affects Gemini Cloud Assist, enabling attackers to insert malicious text into logs. The second targets the Search Personalization Model, where malicious queries can be injected into a user's search history. The third exploits the Gemini Browsing Tool to exfiltrate sensitive data. Google has addressed these issues, but security teams are advised to enhance their defenses.
Gemini Trifecta Highlights Dangers of Indirect Prompt Injection
2025-09-30 | The Hacker News: Researchers Disclose Google Gemini AI Flaws Allowing Prompt Injection and Cloud Exploits
Cybersecurity researchers disclosed three patched vulnerabilities in Google's Gemini AI, collectively termed the Gemini Trifecta. These include a prompt injection flaw in Gemini Cloud Assist, allowing cloud service exploitation; a search-injection flaw in the Search Personalization model, enabling data leakage through manipulated search history; and an indirect prompt injection flaw in the Browsing Tool for exfiltrating user data. Google has implemented measures to mitigate these risks, emphasizing the need for security in AI tools.
2025-10-01 | Malwarebytes Labs: Gemini AI flaws could have exposed your data
Security researchers identified three vulnerabilities in Google’s Gemini AI assistant, dubbed the "Trifecta." These flaws could allow attackers to exploit Gemini Cloud Assist, Gemini Search Personalization Model, and Gemini Browsing Tool to gain control over cloud resources, inject harmful prompts, and leak personal data. Google has patched these vulnerabilities by blocking dangerous links and enhancing defenses. Users are advised to avoid suspicious websites, keep software updated, and be cautious with shared information.
2025-10-02 | Hack Read: Google Patches “Gemini Trifecta” Vulnerabilities in Gemini AI Suite
Cybersecurity researchers at Tenable identified three critical vulnerabilities in Google's Gemini AI suite, termed "Gemini Trifecta," disclosed around October 1, 2025. These flaws allowed prompt injection and data exfiltration through the Gemini Search Personalization Model, Gemini Cloud Assist, and Gemini Browsing Tool. Google has since patched these issues by rolling back vulnerable models and enhancing defenses. The incident highlights AI assistants as potential security weak points, necessitating caution in data sharing.
Urgent: China-Linked Hackers Exploit New VMware Zero-Day Since October 2024
Date: 2025-09-30 | Source: The Hacker News
A zero-day vulnerability, CVE-2025-41244 (CVSS score: 7.8), affecting Broadcom VMware Tools and VMware Aria Operations, has been exploited by the China-linked threat actor UNC5174 since mid-October 2024. This local privilege escalation flaw allows unprivileged users to gain root access on VMs. The vulnerability is rooted in the get_version() function, which improperly matches non-system binaries. VMware has released patches for affected versions, including VMware Tools 12.4.9 for Windows and updates for Linux.
Urgent: China-Linked Hackers Exploit New VMware Zero-Day Since October 2024
2025-09-30 | Security Affairs: Broadcom patches VMware Zero-Day actively exploited by UNC5174
Broadcom patched six VMware vulnerabilities, including CVE-2025-41244, a zero-day exploited by the China-linked threat actor UNC5174 since mid-October 2024. This local privilege escalation flaw (CVSS 7.8) affects VMware Tools and Aria Operations, allowing non-admin users to escalate privileges to root. Other vulnerabilities patched include CVE-2025-41245 (information disclosure) and CVE-2025-41246 (improper authorization). Affected versions include VMware Cloud Foundation, vSphere, Aria Operations, and Tools.
2025-10-01 | TechRadar: Broadcom finally patches dangerous VMware zero-day exploited by Chinese hackers
Broadcom has patched CVE-2025-41244, a high-severity VMware privilege escalation zero-day exploited by the Chinese hacking group UNC5174. This vulnerability allowed limited users to gain root access on VMs running VMware Tools and Aria Operations with SDMP enabled, scoring 7.8/10 in severity. Affected users should update to VMware Tools 12.4.9 for Windows 32-bit or use the open-vm-tools version provided by Linux vendors. UNC5174 previously targeted French government and commercial sectors using Ivanti CSA vulnerabilities.
2025-10-01 | Infosecurity Magazine: Broadcom Issues Patches for VMware NSX and vCenter Security Flaws
Broadcom has released critical security updates for VMware NSX and vCenter, addressing high-severity vulnerabilities (CVE-2025-41250, CVE-2025-41251, CVE-2025-41252) reported by the NSA. CVE-2025-41250 allows attackers to modify email notifications in vCenter, while the NSX flaws enable unauthenticated username enumeration. These vulnerabilities could facilitate unauthorized access. Additional vulnerabilities in VMware Aria Operations and Tools (CVE-2025-41244, CVE-2025-41245, CVE-2025-41246) also allow privilege escalation. Immediate updates are recommended.
Phantom Taurus: 新たな中華系Nexus APTとNET-STARマルウェア スイートの発見
Date: 2025-09-30 | Source: Palo Alto
Phantom Taurus is a newly identified Chinese APT group focusing on espionage against government and telecommunications sectors in Africa, the Middle East, and Asia. Their operations, characterized by stealth and adaptability, utilize a custom malware suite named NET-STAR, which targets IIS web servers. Key components include the IIServerCore backdoor and AssemblyExecuter variants, enabling advanced evasion techniques and database exploitation. The group’s activities align with PRC strategic interests, reflecting a significant threat landscape evolution.
Phantom Taurus: 新たな中華系Nexus APTとNET-STARマルウェア スイートの発見
2025-09-30 | Palo Alto: Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR Malware Suite
Phantom Taurus is a newly identified Chinese APT group focused on espionage against government and telecommunications sectors in Africa, the Middle East, and Asia. They utilize a unique malware suite called NET-STAR, which targets IIS web servers and includes advanced evasion techniques. The group has shifted from email theft to direct database targeting using a script named mssq.bat. Their operations reflect PRC's geopolitical interests, employing sophisticated tools and methods for long-term access to sensitive information.
2025-09-30 | The Hacker News: Phantom Taurus: New China-Linked Hacker Group Hits Governments With Stealth Malware
A new China-linked hacking group, Phantom Taurus, has targeted government and telecommunications organizations in Africa, the Middle East, and Asia for over two years, focusing on espionage. They utilize a custom malware suite called NET-STAR, designed for IIS web servers, employing advanced evasion techniques. Their operations coincide with geopolitical events, and they have shifted from email gathering to directly targeting databases. Initial access may exploit vulnerabilities in IIS and Microsoft Exchange servers.
2025-09-30 | Hack Read: Chinese APT Phantom Taurus Targeted MS Exchange Servers Over 3 Years
A Chinese cyberespionage group, Phantom Taurus, has targeted Microsoft Exchange servers for nearly three years, focusing on foreign ministries and embassies to gather sensitive diplomatic and military communications. Linked to state-backed hacking, the group employs custom tools to evade detection and has expanded to direct database collection. A new malware suite, NET-STAR, compromises IIS servers using a fileless backdoor, complicating detection efforts. The campaign reflects ongoing espionage against high-value targets.
2025-09-30 | Cyberscoop: Palo Alto Networks spots new China espionage group showcasing advanced skills
Palo Alto Networks' Unit 42 has identified a new Chinese espionage group, Phantom Taurus, which has targeted nearly 10 geopolitical victims in the Middle East, Africa, and Asia. This group employs unique malware, including the NET-STAR suite, designed for stealth and evasion. They infiltrate networks through unpatched internet-facing devices, focusing on ministries and telecom networks to steal sensitive data. Their operations have expanded, with recent activity noted just months ago.
2025-10-01 | The Register: Beijing-backed burglars master .NET to target government web servers
Palo Alto Networks’ Unit 42 identified a China-backed hacking group named “Phantom Taurus,” which targets military and diplomatic entities across Asia, the Middle East, and Africa. They developed a malware suite called “NET-STAR” aimed at IIS web servers, featuring three backdoors: IIServerCore, AssemblyExecuter V1, and AssemblyExecuter V2. These tools utilize advanced evasion techniques, posing a significant threat to internet-facing servers. Indicators of compromise are provided, but infection methods remain unspecified.
2025-10-01 | Infosecurity Magazine: New China-Aligned Hackers Hit State and Telecom Sectors
A newly identified cyber espionage group, Phantom Taurus, has been targeting government and telecom sectors in Africa, the Middle East, and Asia for over two years. Palo Alto Networks reported on September 30, 2025, that the group focuses on diplomatic communications and defense intelligence, employing a custom batch script to extract data from SQL Server databases. Their operations utilize Windows Management Instrumentation for remote execution, indicating a shift from email theft to direct database targeting, aligning with Chinese state interests.
2025-10-01 | TechRadar: Chinese hackers hit government systems, stealing emails and more - here's what we know
Chinese state-sponsored hackers, identified as Phantom Taurus, have targeted diplomatic entities in South Asia and the Middle East, specifically Afghanistan and Pakistan, using sophisticated NET-STAR malware. Unit 42 attributes this group to China based on their tactics and infrastructure. The malware demonstrates advanced evasion techniques and poses a significant threat to internet-facing servers. The exact infection methods remain unclear, but typical tactics likely include spear-phishing or exploiting zero-day vulnerabilities.
2025-10-01 | Recorded Future: China-linked hacking group Phantom Taurus targeting embassies, foreign ministries
A China-linked hacking group, Phantom Taurus, has been targeting embassies and foreign ministries across Africa, the Middle East, and Asia for about two-and-a-half years. Researchers from Palo Alto Network’s Unit 42 noted the group employs advanced tactics and a new malware suite called NET-STAR, which targets Microsoft IIS web servers. This malware is difficult to detect and allows access to sensitive databases. Attacks often coincide with major geopolitical events, although specific targeted countries were not disclosed.
2025-10-01 | CSO Online: Chinese APT group Phantom Taurus targets gov and telecom organizations
Researchers from Palo Alto Networks have identified a new Chinese APT group named Phantom Taurus, which targets government and telecommunications organizations in Africa, the Middle East, and Asia. The group aims for long-term covert access to critical systems, focusing on ministries of foreign affairs, embassies, and military operations. Their attacks exhibit stealth, persistence, and adaptability in tactics, techniques, and procedures (TTPs), with espionage as the primary objective.
2025-10-02 | Security Affairs: China-linked APT Phantom Taurus uses Net-Star malware in espionage campaigns against key sectors
China-linked APT Phantom Taurus has been conducting espionage campaigns against government and telecom organizations for over 2.5 years, utilizing the custom Net-Star malware suite. Initially focused on stealing emails, the group shifted tactics in early 2025 to target SQL Server databases, employing a script to extract sensitive data. The Net-Star suite includes advanced tools like IIServerCore, which operates filelessly and evades detection, posing significant risks to internet-facing servers.
Chinese scammer pleads guilty after UK seizes nearly $7 billion in bitcoin
Date: 2025-09-29 | Source: Recorded Future
Zhimin Qian, a Chinese national, pleaded guilty in a London court to running a fraudulent investment scheme that defrauded over 128,000 victims between 2014 and 2017, stealing billions. U.K. police seized nearly $7 billion in Bitcoin during a raid in 2018, believed to be the largest cryptocurrency seizure globally. Qian, who used a fake passport to flee to the U.K., will be sentenced later. Her co-conspirator, Jian Wen, was convicted of money laundering last year.
Chinese scammer pleads guilty after UK seizes nearly $7 billion in bitcoin
2025-09-30 | BBC News: Chinese woman convicted after 'world's biggest' bitcoin seizure
Zhimin Qian, also known as Yadi Zhang, was convicted in the UK for leading a £5.5bn bitcoin scam that defrauded over 128,000 victims between 2014 and 2017. Her guilty plea follows a seven-year investigation into a global money laundering operation. Qian, who evaded justice for five years, used false documents to enter the UK and attempted to launder the stolen funds through property purchases. She is currently in custody awaiting sentencing, with efforts ongoing to prevent the fraudsters from accessing the stolen assets.
2025-09-30 | The Hacker News: U.K. Police Just Seized £5.5 Billion in Bitcoin — The World’s Largest Crypto Bust
A U.K. police operation led to the seizure of £5.5 billion in Bitcoin, marking the largest cryptocurrency bust globally. Zhimin Qian, a Chinese national, pleaded guilty to fraud involving over 128,000 victims, primarily older individuals, who were misled into investing with false promises. Concurrently, INTERPOL's Operation Contender 3.0 arrested 260 suspects across 14 African nations, targeting romance scams and sextortion, resulting in 1,463 victims and $2.8 million in losses.
2025-09-30 | The Register: £5.5B Bitcoin fraudster pleads guilty after years on the run
Zhimin Qian, 47, pleaded guilty at Southwark Crown Court to acquiring and possessing criminal property under the Proceeds of Crime Act. Her fraud, affecting over 128,000 people in China from 2014 to 2017, netted her 61,000 Bitcoin, valued at over £5.5 billion. Qian attempted to launder the proceeds in the UK, collaborating with Jian Wen, who was jailed last year. Both received sentences of six years and eight months, with Wen ordered to repay £3.1 million or face additional prison time.
2025-09-30 | Security Affairs: UK convicts Chinese national in £5.5B crypto fraud, marks world’s largest Bitcoin seizure
A Chinese national, Zhimin Qian, was convicted in the UK for a £5.5 billion crypto fraud, marking the world's largest cryptocurrency seizure of 61,000 Bitcoin. The case stemmed from a 2018 investigation into a scheme that defrauded 128,000 victims in China. Qian, who entered the UK in 2018, was arrested in April 2024 and admitted to laundering fraud proceeds. The Metropolitan Police emphasized the case's significance in combating global crypto fraud and money laundering.
2025-10-01 | Hack Read: London Court Convicts Chinese Mastermind Behind £5bn Crypto Seizure
Zhimin Qian, a Chinese national, pleaded guilty on September 29, 2025, at Southwark Crown Court for her role in laundering over £5.5 billion worth of cryptocurrency linked to a Ponzi scheme. Between 2014 and 2017, she defrauded around 128,000 victims through the Lantian Gerui fraud. Following her arrest in April 2024, authorities seized over £300 million in Bitcoin. The UK Crown Prosecution Service is now contesting the funds' ownership with Chinese authorities, as Qian awaits sentencing.
Asahi runs dry as online attackers take down Japanese brewer
Date: 2025-09-29 | Source: The Register
Asahi Group Holdings has shut down its distribution systems in Japan due to a cyberattack, impacting operations significantly. The company is investigating the cause and restoring services, but no timeline for recovery is available. No customer personal information or commercial data has been stolen. The attack has not affected Asahi's European operations. The domestic market, which accounts for about half of Asahi's profits, is severely impacted, highlighting the risks faced by major companies in the food and drink sector.
Asahi runs dry as online attackers take down Japanese brewer
2025-09-30 | Security Affairs: Asahi halts ordering, shipping, and customer service after cyberattack
Japan's Asahi Group Holdings, the largest brewer in the country, has suspended ordering, shipping, and customer service operations due to a cyberattack. The company reported a system failure affecting its Japanese branch, but no personal information or customer data has been confirmed as leaked. Other branches remain unaffected. An investigation is ongoing, and there is no estimated timeline for recovery. No ransomware groups have claimed responsibility for the attack as of now.
2025-09-30 | Infosecurity Magazine: Asahi Suspends Operations in Japan After Cyber-Attack
Brewing giant Asahi suspended operations in Japan due to a cyber-attack causing a system failure, affecting order, shipment, and customer service operations. The incident was reported on September 29, with no confirmed leakage of personal data at this time. However, experts warn that the situation may evolve, and potential financial impacts could be significant due to Asahi's 40% market share in Japan. The attack highlights vulnerabilities in complex supply chains.
2025-09-30 | Recorded Future: Cyberattack on Japanese beer giant Asahi limits shipping, call center operations
A cyberattack on Japanese beverage company Asahi has led to a system failure affecting order shipments and call center operations in Japan. Asahi reported no confirmed leakage of personal information or customer data. The company is investigating the cause and working to restore operations, but there is no estimated timeline for recovery. Asahi, which owns brands like Peroni and Grolsch, has faced similar threats as other beverage companies globally over the past two years.
2025-09-30 | TechRadar: Asahi stops pouring after cyberattack stops production
Asahi Group Holdings has suspended operations at its Japanese distribution centers and customer service due to a cyberattack, impacting orders and shipments domestically. The attack has not affected international branches, but Japan accounts for about half of Asahi's profits. The company is investigating the cause and has not provided a recovery timeline. No ransomware group has claimed responsibility for the attack, which reflects a broader trend of significant cyber incidents affecting major businesses.
2025-09-30 | TechCrunch: Japan’s beer-making giant Asahi stops production after cyberattack
Asahi Group Holdings halted production at its Japanese factories following a cyberattack on Monday, leading to a system failure that disrupted order, shipment, and call center operations. The company has not confirmed any leakage of personal or customer data. As of Tuesday, production remains suspended across its 30 plants, with no timeline for recovery. Investigations are ongoing to determine the full impact of the attack, including whether it involved ransomware or data theft.
Dutch teen duo arrested over alleged 'Wi-Fi sniffing' for Russia
Date: 2025-09-29 | Source: The Register
Dutch police arrested two 17-year-olds allegedly recruited by Russian intelligence for espionage near Europol and Eurojust. One suspect was released with an ankle monitor, while the other remains in custody. The arrests followed observations of one teen using a "Wi-Fi sniffer." In response, Germany's Federal Criminal Police launched a campaign warning against Russian recruitment of spies via social media.
Dutch teen duo arrested over alleged 'Wi-Fi sniffing' for Russia
2025-09-29 | Security Affairs: Dutch teens arrested for spying on behalf of pro-Russian hackers
Dutch police arrested two 17-year-olds for allegedly spying for pro-Russian hackers, following a tip from Dutch intelligence. One suspect is in custody while the other is on home bail. They were reportedly recruited via Telegram to use a Wi-Fi sniffer near EU buildings in The Hague. This incident highlights the exploitation of youth in state-sponsored espionage and the risks posed by non-state actors like NoName(057)16 and Killnet, complicating attribution and response to cyber threats.
2025-09-29 | Infosecurity Magazine: Dutch Authorities Arrest Teens in Foreign Interference Case
Two 17-year-old boys were arrested in the Netherlands for suspected espionage linked to foreign interference. They were contacted via Telegram by a pro-Russian hacker. One boy was seen near sensitive sites in The Hague with a Wi-Fi sniffer. They remain in custody, with one under house arrest. The case reflects a trend of Russian actors recruiting youth in Europe for surveillance and minor vandalism, complicating attribution and reducing political costs for interference.
2025-09-29 | Hack Read: Dutch Teens Arrested Over Alleged Spying for Pro-Russian Hackers
Two 17-year-old boys in the Netherlands were arrested for allegedly spying for pro-Russian hackers, marking a notable case of minors being recruited by foreign state actors. They were contacted via Telegram and involved in suspicious activities near key locations, including the Canadian embassy and Europol. One suspect was placed under house arrest, while the other remains in custody. This incident reflects a troubling trend of individuals being lured into espionage roles by Russian threat actors.
British department store Harrods warns customers that some personal details taken in data breach
Date: 2025-09-27 | Source: ABC News
Harrods has informed customers of a data breach involving its online systems, where some names and contact details were compromised due to a third-party provider's system being hacked. The affected data does not include passwords or payment information. The incident is described as isolated and contained. This breach is separate from a previous incident in May involving unauthorized access attempts. The company has not disclosed further details.
British department store Harrods warns customers that some personal details taken in data breach
2025-09-29 | Infosecurity Magazine: Harrods Reveals Supply Chain Breach Impacting Online Customers
Harrods disclosed a supply chain breach affecting some e-commerce customers, revealing that personal information, including names and contact details, was stolen from a third-party provider. The company confirmed that no payment details or passwords were compromised. Approximately 430,000 customer records may have been impacted. This incident follows a trend of rising ransomware attacks in the retail sector, with significant losses reported by other retailers like M&S and the Co-op due to similar breaches.
2025-09-29 | DIGIT: Customer Data Compromised in Harrods Data Breach
Harrods has reported a data breach affecting up to 430,000 online customers, with personal information such as names, contact details, and loyalty card information compromised. The breach originated from a third-party provider and does not involve payment details or account passwords. Harrods has informed affected customers and relevant authorities, emphasizing that the compromised data is unlikely to be accurately interpreted by unauthorized parties. The breach is separate from previous incidents affecting UK retailers earlier this year.
2025-09-29 | TechRadar: Harrods cyberattack - over 430,000 customers have data stolen, here's how to stay safe
Harrods confirmed a cyberattack has exposed the personal details of over 430,000 customers, including names and contact information, but not payment data or passwords. The breach is linked to a third-party provider and is not associated with previous attacks on UK retailers. Harrods will not engage with the hackers and has reported the incident to authorities. Customers are advised to use identity theft protection software and monitor their accounts for potential fraud.
2025-09-29 | The Register: Harrods blames its supplier after crims steal 430k customers’ data in fresh attack
Luxury retailer Harrods reported a cybersecurity breach affecting 430,000 customers, attributed to a third-party supplier. The incident was disclosed on September 26, with Harrods stating that the supplier assured it the breach was contained. Affected data includes names and contact details but not passwords or financial information. Harrods confirmed it is cooperating with authorities and emphasized that its own systems were not compromised. This incident is separate from a previous attack linked to the group Scattered Spider.
2025-09-29 | Security Affairs: Harrods alerts customers to new data breach linked to third-party provider
Harrods has alerted customers to a data breach involving a third-party provider, exposing names and contact details of some e-commerce customers. The breach does not involve account passwords or payment information. Harrods is investigating the incident and collaborating with cybersecurity experts to secure its systems. The company confirmed that the breach has been contained and is not linked to a previous cyberattack in May. Relevant authorities have been notified.
2025-09-29 | Hack Read: Harrods Data Breach: 430,000 Customer Records Stolen Via Third-Party Attack
On September 26, 2025, Harrods confirmed a data breach affecting up to 430,000 customer records due to a third-party IT attack. The compromised data includes basic personal information, loyalty card details, and marketing preferences, but no payment information or passwords were exposed. Harrods stated the incident is unrelated to previous unauthorized access attempts in May 2025. Customers are advised to monitor their accounts and be cautious of potential scams following the breach.
2025-09-29 | Cyber Security News: New Harrods Data Breach Exposes 430,000 Customer Personal Records
Harrods has reported a data breach affecting around 430,000 customer records due to a compromise at a third-party provider. The breach, disclosed on September 26, 2025, involved basic personal identifiers but no financial information. Harrods has informed affected customers and relevant authorities, including the ICO, in line with UK GDPR. The incident underscores the risk of cybercriminals targeting supply chain partners. Customers are advised to remain vigilant against phishing attempts.
Threat Actors Exploiting SonicWall Firewalls to Deploy Akira Ransomware Using Malicious Logins
Date: 2025-09-27 | Source: Cyber Security News
A surge in cyberattacks targeting SonicWall firewalls has been reported, deploying Akira ransomware since late July 2025. Attackers exploit CVE-2024-40766, bypassing OTP MFA via malicious SSL VPN logins. Once inside, they quickly scan networks, create admin accounts, and disable security tools. They exfiltrate sensitive data before deploying ransomware. Arctic Wolf advises organizations to reset SSL VPN credentials and monitor for suspicious activity, emphasizing that patching alone is insufficient if credentials are compromised.
Threat Actors Exploiting SonicWall Firewalls to Deploy Akira Ransomware Using Malicious Logins
2025-09-29 | Infosecurity Magazine: SonicWall SSL VPN Attacks Escalate, Bypassing MFA
Security experts report a surge in Akira ransomware attacks targeting SonicWall SSL VPN appliances, beginning in late July. Exploitation of CVE-2024-40766, an improper access control vulnerability, allows credential harvesting, enabling attacks even on patched devices. Threat actors bypassed OTP MFA, likely by obtaining OTP seeds. Rapid lateral movement was observed post-login, with recommendations to monitor for suspicious logins from hosting providers and restrict access from non-business countries. Early detection is crucial.
2025-09-29 | Security Affairs: Akira Ransomware bypasses MFA on SonicWall VPNs
Akira ransomware has been exploiting SonicWall SSL VPNs since July 21, 2025, bypassing OTP MFA likely using stolen OTP seeds and credentials from CVE-2024-40766. Targeting SonicWall NSA and TZ series devices running SonicOS 6–8, attackers rapidly scan internal networks post-login and deploy various tools for lateral movement. They maintain persistence through SSH tunnels and exfiltrate data using tools like rclone and FileZilla. The report emphasizes resetting SSL VPN and Active Directory credentials as a critical mitigation step.
2025-09-29 | Help Net Security: Akira ransomware: From SonicWall VPN login to encryption in under four hours
Akira ransomware attacks can deploy within four hours, exploiting stolen SonicWall SSL VPN credentials and bypassing MFA. Arctic Wolf researchers identified CVE-2024-40766 as the vulnerability exploited. Attackers scan networks, gain access to Domain Controllers, exfiltrate data, and disable security tools before deploying ransomware. Organizations are advised to monitor for unusual logins, reset all credentials, and block unauthorized remote tools to mitigate risks.
2025-09-29 | TechRadar: SonicWall VPN accounts breached by Akira ransomware -and even those using MFA are at risk
Akira ransomware exploits CVE-2024-40766 to breach SonicWall VPNs, even with MFA enabled. Researchers suspect that OTP seeds were compromised, allowing attackers to bypass one-time password protections. Despite SonicWall's patching efforts and customer advisories to reset SSL VPN credentials, successful logins have been reported. Google links these attacks to UNC6148, indicating that stolen OTP seeds from prior breaches are being used to authenticate against patched devices.
Cyber threat-sharing law set to shut down, along with US government
Date: 2025-09-26 | Source: The Register
The Cybersecurity Information Sharing Act (CISA) of 2015 is set to expire on October 1, coinciding with a potential US government shutdown. CISA allows companies to share cyber threat indicators with the government while protecting them from lawsuits. Supporters argue it is essential for national cybersecurity, claiming it has prevented billions in losses, while detractors view it as a privacy invasion. The Senate rejected a House-passed continuing resolution that included an extension for CISA, leaving its future uncertain.
Cyber threat-sharing law set to shut down, along with US government
2025-09-29 | Cyberscoop: Expired protections, exposed networks: The stakes of CISA’s sunset
The Cybersecurity Information Sharing Act (CISA) is set to expire, risking the loss of legal protections that facilitate threat intelligence sharing between organizations and the federal government. This could lead to increased legal exposure for companies sharing vital information, hindering collaborative cyber defense. Proposed legislation aims to extend CISA, but merely reauthorizing outdated frameworks won't address modern threats. A shift towards proactive behavioral analytics and enhanced intelligence sharing is essential for effective cybersecurity.
2025-09-30 | Recorded Future: Cyber information-sharing law and state grants set to go dark as Congress stalls over funding
Two federal cybersecurity programs are set to expire due to congressional funding impasses. The Cybersecurity Information Sharing Act (CISA 2015), which facilitates threat data sharing, and the State and Local Cybersecurity Grant Program, which allocated $1 billion for local defenses, face lapsing. Lawmakers express concerns over national security risks if these programs are not renewed, emphasizing their importance in combating rising cyber threats. Bipartisan support exists, but political disagreements hinder progress.
2025-09-30 | Cyberscoop: Watchdog: Cyber threat information-sharing program’s future uncertain with expected expiration of 2015 law
The Cybersecurity and Infrastructure Security Agency (CISA) faces uncertainty regarding its threat information-sharing program as the 2015 Cybersecurity Information Sharing Act (CISA 2015) is set to expire. An inspector general report highlights that CISA lacks plans for the Automated Indicator Sharing (AIS) program post-expiration, which could hinder its ability to protect critical infrastructure. The report notes a significant increase in shared cyber threat indicators in 2024 but warns of overreliance on a few partners for data sharing.
2025-10-01 | CSO Online: CISA 2015 cyber threat info-sharing law lapses amid government shutdown
The Cybersecurity Information Sharing Act of 2015 (CISA 2015) has expired due to a failure to extend it amid a US government shutdown. Originally designed to facilitate threat information sharing between the federal government and private sector while providing legal protections, its lapse means cybersecurity defenders no longer have liability protection, and the government loses visibility into private sector threats. The timeline for Congress to address this issue remains uncertain.
2025-10-01 | Cybersecurity Dive: Landmark US cyber-information-sharing program expires, bringing uncertainty
The expiration of the Cybersecurity Information Sharing Act (CISA 2015) on Wednesday has raised concerns about reduced cybersecurity collaboration between the U.S. government and private sector. The act provided legal protections for companies sharing threat information, which facilitated robust information exchange. Its lapse may lead to diminished sharing practices, increased legal scrutiny, and a weakened cybersecurity posture, leaving networks more vulnerable to attacks, according to industry leaders and lawmakers.
2025-10-02 | Infosecurity Magazine: Expired US Cyber Law Puts Data Sharing and Threat Response at Risk
The expiration of the Cybersecurity Information Sharing Act (CISA 2015) on September 30 has left companies vulnerable to lawsuits when sharing cyber threat intelligence. Industry leaders warn this lapse could weaken US cyber defenses, increase software supply chain vulnerabilities, and hinder AI security development. Experts predict a significant rise in data breach costs and a potential crisis in threat sharing, as companies may become reluctant to exchange vital threat data without legal protections.
Interpol Cracks Down on Large-Scale African Scamming Networks
Date: 2025-09-26 | Source: Infosecurity Magazine
A transnational operation, Operation Contender 3.0, led by Interpol, resulted in 260 arrests across 14 African countries from July 28 to August 11, 2025. The crackdown targeted romance scams and sextortion, uncovering networks in Ghana, Senegal, Côte d’Ivoire, and Angola. Investigators identified 1,463 victims with losses estimated at nearly $2.8 million. Seized items included 1,235 electronic devices, USB drives, SIM cards, and forged documents, dismantling 81 cybercrime infrastructures.
Interpol Cracks Down on Large-Scale African Scamming Networks
2025-09-26 | Recorded Future: Africa cybercrime crackdown includes hundreds of arrests, Interpol says
Authorities in several African countries arrested 260 individuals in a coordinated operation targeting online fraud schemes, according to Interpol. The operation identified over 1,460 victims who lost approximately $2.8 million, with Ghana reporting the highest arrests (68 suspects). Police dismantled online infrastructures and seized over 1,200 electronic devices. Interpol highlighted a rise in sextortion and romance scams, emphasizing challenges in prosecuting cybercrime due to legal and resource gaps.
2025-09-29 | Cyberscoop: Interpol operation disrupts romance scam and sextortion networks in Africa
Interpol's "Operation Contender 3.0" led to the arrest of 260 cybercrime suspects across 14 African countries, targeting romance scams and sextortion networks. The operation uncovered losses of approximately $2.8 million affecting nearly 1,500 victims. Key arrests included 68 in Ghana, 22 in Senegal, and 24 in Cote d’Ivoire. Authorities seized various digital devices and dismantled 81 cybercrime infrastructures. The operation highlighted a rise in digital-enabled crimes, prompting a coordinated response from multiple countries and private sector partners.
2025-09-30 | Malwarebytes Labs: 260 romance scammers and sextortionists caught in huge Interpol sting
Interpol's Operation Contender 3.0 resulted in the arrest of 260 individuals involved in romance scams and sextortion across Africa, with 1,463 victims reporting losses of approximately $2.8 million. Scammers used fake identities and manipulated victims into sending money under various pretenses, including bogus fees and investment schemes. The operation highlights the growing prevalence of such crimes, particularly in regions like Africa, where cybercrime constitutes a significant portion of reported offenses.
New macOS XCSSET Variant Targets Firefox with Clipper and Persistence Module
Date: 2025-09-26 | Source: The Hacker News
A new variant of the macOS malware XCSSET targets Firefox, incorporating clipboard hijacking and enhanced persistence mechanisms. It uses sophisticated encryption and obfuscation, employing run-only AppleScripts for stealth. The malware includes a clipper sub-module that alters cryptocurrency wallet addresses in the clipboard. New modules facilitate data exfiltration and persistence. Users are advised to keep systems updated, scrutinize Xcode projects, and be cautious with clipboard data.
New macOS XCSSET Variant Targets Firefox with Clipper and Persistence Module
2025-09-26 | Cyber Security News: New Variant of The XCSSET Malware Attacking macOS App Developers
A new variant of the XCSSET malware has emerged, targeting macOS app developers since late September 2025. This variant enhances stealth and exfiltration capabilities, using infected Xcode projects as the infection vector. It executes a multi-stage infection chain during Xcode builds, incorporating clipboard hijacking and browser data theft. The malware employs encrypted AppleScripts for obfuscation and maintains persistence through a LaunchDaemon submodule. Developers are advised to verify project sources and monitor network activity.
2025-09-26 | The Register: Microsoft spots fresh XCSSET malware strain hiding in Apple dev projects
Microsoft has identified a new variant of the XCSSET malware targeting macOS developers, evolving since its initial emergence in 2020. This version enhances its capabilities, including a module that steals data from Firefox and a clipboard hijacker for cryptocurrency addresses. It employs stealth tactics, such as disabling macOS updates and using obfuscation techniques. Microsoft advises developers to carefully review projects before builds and maintain updated security measures, as the malware continues to exploit Xcode projects.
2025-09-26 | TechRadar: Microsoft flags dangerous XCSSET macOS malware targeting developers - so be on your guard
Microsoft has detected an upgraded variant of the XCSSET macOS backdoor, targeting developers through compromised projects. This malware steals sensitive data, including Firefox browser information, and hijacks the clipboard to redirect cryptocurrency transactions. It employs a new persistence method to remain hidden. Although observed in limited attacks, it has not caused significant damage. Apple and GitHub are actively removing the malicious repositories associated with this campaign.
2025-09-26 | Security Affairs: Microsoft uncovers new variant of XCSSET macOS malware in targeted attacks
Microsoft Threat Intelligence has identified a new variant of XCSSET macOS malware, discovered in targeted attacks. This variant can steal Firefox data, hijack clipboard contents, and employs encryption and obfuscation to evade detection. It features a four-stage infection chain and includes modules for info stealing, file exfiltration, and persistence. Recommendations for mitigation include keeping software updated, inspecting Xcode projects, verifying clipboard contents, and using Microsoft Defender for Endpoint on Mac.
New LockBit Ransomware Variant Emerges as Most Dangerous Yet
Date: 2025-09-26 | Source: Infosecurity Magazine
Trend Micro has identified a new LockBit ransomware variant, LockBit 5.0, released in September 2025, which is significantly more dangerous than previous versions. It includes Windows, Linux, and ESXi variants, enabling cross-platform attacks. Enhancements include faster encryption, removal of infection markers, and advanced evasion techniques. The ransomware generates a ransom note and uses geolocation checks to avoid detection in Russia. LockBit 5.0 shows significant code reuse from version 4.0, indicating it is an evolutionary development.
New LockBit Ransomware Variant Emerges as Most Dangerous Yet
2025-09-26 | The Register: LockBit's new variant is 'most dangerous yet,' hitting Windows, Linux and VMware ESXi
Trend Micro has raised concerns about the new LockBit 5.0 ransomware, described as "significantly more dangerous" due to its ability to target Windows, Linux, and VMware ESXi environments simultaneously. Enhanced evasion techniques and modular architecture allow it to encrypt VMs and files across platforms, complicating recovery efforts. The ransomware can disable security processes and delete backups, posing a severe threat to enterprise networks. Organizations are urged to implement robust cross-platform defenses.
2025-09-26 | CSO Online: Meet LockBit 5.0: Faster ESXi drive encryption, better at evading detection
The LockBit gang has launched LockBit 5.0, enhancing ESXi drive encryption speed. Security researcher Jon DiMaggio notes that the updates are more about refining existing features and promoting the gang than significant advancements. Despite the February 2024 takedown during Operation Cronos, which harmed the gang's credibility, the release aims to restore its reputation and expand profit-sharing with affiliates.
2025-09-29 | TechRadar: LockBit malware is back - and nastier than ever, experts claim
LockBit 5.0, discovered in September 2025, targets Windows, Linux, and VMware ESXi with advanced obfuscation and anti-analysis techniques. It builds on version 4.0, featuring DLL reflection and dynamic API resolution, making detection harder. The ransomware appends randomized 16-character extensions to encrypted files and avoids infecting Russian-language systems. While found active in the wild, no victim details or campaign success have been disclosed. Law enforcement's Operation Cronos previously aimed to disrupt LockBit's operations.
CISA orders feds to patch Cisco flaws used in multiple agency hacks
Date: 2025-09-25 | Source: Cybersecurity Dive
CISA has mandated U.S. government agencies to patch critical vulnerabilities (CVE-2025-20333, CVE-2025-20363) in Cisco firewalls, exploited by an advanced threat actor in a widespread hacking campaign. Agencies must submit forensic images by Friday, disconnect unsupported devices, and update firmware by October 3. The campaign, linked to the ArcaneDoor operation, has compromised at least 10 organizations globally. Cisco emphasized the need for timely updates to prevent unauthorized access and ensure network security.
CISA orders feds to patch Cisco flaws used in multiple agency hacks
2025-09-25 | The Hacker News: Urgent: Cisco ASA Zero-Day Duo Under Attack; CISA Triggers Emergency Mitigation Directive
Cisco has identified two zero-day vulnerabilities in its Secure Firewall ASA and FTD Software, CVE-2025-20333 (CVSS 9.9) and CVE-2025-20362 (CVSS 6.5), both allowing remote code execution via crafted HTTP requests. CISA issued Emergency Directive ED 25-03 for federal agencies to mitigate these vulnerabilities, which are actively exploited by the ArcaneDoor threat actor. The vulnerabilities have been added to the Known Exploited Vulnerabilities catalog, requiring immediate action.
2025-09-25 | Recorded Future: Federal agencies given one day to patch exploited Cisco firewall bugs
Federal civilian agencies must patch vulnerabilities CVE-2025-30333 (severity 9.9) and CVE-2025-20362 (severity 6.5) in Cisco Adaptive Security Appliances by Friday evening, as directed by CISA. Exploitation by advanced threat actors has been confirmed, with evidence of sophisticated malware and persistent access methods. Cisco recommends resetting devices to factory defaults and replacing all configurations if a compromise is suspected. The vulnerabilities affect ASA 5500-X Series devices, with support ending for several models.
2025-09-25 | Cyberscoop: CISA alerts federal agencies of widespread attacks using Cisco zero-days
Federal agencies have been alerted by CISA about ongoing attacks exploiting zero-day vulnerabilities in Cisco firewalls, specifically CVE-2025-20333 and CVE-2025-20362. Cisco linked these attacks to a state-sponsored group, "ArcaneDoor," and noted that the vulnerabilities allow malware implantation and data exfiltration. Agencies must report compromises and apply patches by Friday. The attackers used advanced techniques to evade detection. CISA emphasized that similar risks apply to private sector organizations using these devices.
2025-09-25 | Security Affairs: U.S. CISA adds CISCO Secure Firewall ASA and Secure FTD flaws to its Known Exploited Vulnerabilities catalog
On September 25, 2025, CISA added vulnerabilities in Cisco Secure Firewall ASA and Secure FTD to its Known Exploited Vulnerabilities catalog. An ongoing exploitation campaign targets these devices, allowing unauthenticated remote code execution. Key vulnerabilities include CVE-2025-20362 (missing authorization) and CVE-2025-20333 (buffer overflow). Agencies must identify affected devices and report by September 26, 2025, with updates due by October 2, 2025. Private organizations are also advised to address these vulnerabilities.
2025-09-25 | CSO Online: Patch now: Attacker finds another zero day in Cisco firewall software
A critical zero-day vulnerability in Cisco firewalls requires immediate patching, as warned by US and UK cyber authorities. Exploits are linked to ongoing attacks on network perimeter devices. The UK's NCSC described Cisco's alert as a significant update related to the ArcaneDoor campaign, previously exposed last year. CISA has issued an emergency directive for federal departments to identify, analyze, and mitigate potential compromises related to this vulnerability.
2025-09-25 | Cyberscoop: CISA says it observed nearly year-old activity tied to Cisco zero-day attacks
CISA reported ongoing exploitation of Cisco zero-day vulnerabilities, with initial reconnaissance activity dating back to November 2024. Hundreds of Cisco firewalls used by federal agencies are potentially at risk. An emergency directive mandates immediate action to assess and mitigate the threat. Cisco's incident response began in May, but there was a four-month delay before disclosure and patching. CISA warns that attacks may escalate as vulnerabilities are revealed, emphasizing the need for rapid detection of threat actor activity.
2025-09-26 | The Hacker News: Cisco ASA Firewall Zero-Day Exploits Deploy RayInitiator and LINE VIPER Malware
Threat actors exploited zero-day vulnerabilities in Cisco ASA firewalls, deploying RayInitiator and LINE VIPER malware. The U.K. NCSC reported that these attacks targeted ASA 5500-X Series devices, using CVE-2025-20362 (CVSS 6.5) and CVE-2025-20333 (CVSS 9.9) to bypass authentication. Cisco confirmed the campaign linked to the ArcaneDoor threat cluster, attributed to a China-linked group. A critical flaw (CVE-2025-20363, CVSS 8.5/9.0) was also identified, prompting urgent updates for affected organizations.
2025-09-26 | Cyber Security News: Cisco ASA 0-Day RCE Vulnerability Actively Exploited in the Wild
Cisco has issued an emergency advisory regarding a critical zero-day vulnerability (CVE-2025-20333) in its Secure Firewall ASA and FTD software, allowing authenticated remote attackers to execute arbitrary code with root privileges. The flaw, with a CVSS score of 9.9, affects devices with specific VPN configurations. A second vulnerability (CVE-2025-20362) allows unauthorized access to restricted URLs, rated 6.5. Immediate software updates are recommended, as no workarounds exist.
2025-09-26 | Cyber Security News: Hackers Exploiting Cisco ASA Zero-Day to Deploy RayInitiator and LINE VIPER Malware
A state-sponsored threat actor is exploiting a zero-day vulnerability (CVE-2025-20333) in Cisco ASA 5500-X series firewalls to deploy RayInitiator and LINE VIPER malware. RayInitiator establishes persistence by embedding itself in the device's bootloader, while LINE VIPER allows command execution and data exfiltration. Cisco and the NCSC recommend immediate patching and investigation for signs of compromise, particularly for devices nearing end-of-life, which pose significant security risks.
2025-09-26 | Rapid7: CVE-2025-20333, CVE-2025-20362, CVE-2025-20363 - Multiple critical vulnerabilities affecting Cisco products
On September 25, 2025, Cisco disclosed three critical vulnerabilities: CVE-2025-20333 (buffer overflow), CVE-2025-20362 (missing authorization), and CVE-2025-20363 (heap-based buffer overflow). CVE-2025-20333 and CVE-2025-20362 are actively exploited, while CVE-2025-20363 is at high risk. All require urgent patching. Affected products include Cisco Secure Firewall ASA, FTD, IOS, IOS XE, and IOS XR. Customers are advised to update to the latest software versions immediately.
2025-09-26 | The Register: UK and US security agencies order urgent fixes as Cisco firewall bugs exploited in wild
Cybersecurity agencies in the UK and US have issued urgent directives regarding vulnerabilities in Cisco's Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) devices, tracked as CVE-2025-20333 and CVE-2025-20362. Exploited by an advanced threat actor, these flaws allow malware implantation and data exfiltration. Cisco has released patches and warned that affected devices nearing end-of-life should be removed from networks. The exploitation is linked to the ArcaneDoor campaign, attributed to a sophisticated state-sponsored actor.
2025-09-26 | Cyber Security News: CISA Warns of Cisco Firewall 0-Day Vulnerabilities Actively Exploited in the Wild
CISA has issued an Emergency Directive regarding two critical zero-day vulnerabilities in Cisco ASA and Firepower platforms: CVE-2025-20333 (remote code execution, CVSS 9.8) and CVE-2025-20362 (privilege escalation, CVSS 7.2). These vulnerabilities allow unauthenticated remote code execution and are actively exploited. Agencies must follow CISA's instructions, apply updates by September 26, 2025, and submit reports by October 2, 2025. Non-compliance poses risks to federal systems and critical infrastructure.
2025-09-26 | Infosecurity Magazine: ArcaneDoor Threat Actor Resurfaces in Continued Attacks Against Cisco Firewalls
A cyber-attack campaign linked to the ArcaneDoor threat actor has targeted Cisco ASA 5500-X Series devices running vulnerable software, exploiting CVE-2025-20333 and CVE-2025-20362. The attackers used advanced evasion techniques and aimed to implant malware and exfiltrate data. Cisco urges organizations to upgrade to fixed software releases and disable SSL/TLS-based VPN services as temporary measures. The UK’s NCSC and CISA have issued advisories for detection and remediation actions.
2025-09-26 | Help Net Security: Cisco ASA zero-day vulnerabilities exploited in sophisticated attacks
A widespread campaign exploiting zero-day vulnerabilities in Cisco Adaptive Security Appliances (ASA) has been identified by US, UK, Canadian, and Australian cybersecurity agencies. The vulnerabilities CVE-2025-20362 and CVE-2025-20333 allow unauthorized access and remote code execution. Cisco recommends organizations identify affected devices, apply patches, and report compromises. The UK NCSC highlighted advanced malware used in the attacks, urging immediate remediation and device upgrades before end-of-support dates.
2025-09-26 | Security Affairs: UK NCSC warns that attackers exploited Cisco firewall zero-days to deploy RayInitiator and LINE VIPER malware
UK NCSC reported that attackers exploited Cisco firewall zero-days (CVE-2025-20362, CVE-2025-20333) to deploy RayInitiator and LINE VIPER malware. RayInitiator is a persistent GRUB bootkit for Cisco ASA 5500-X devices, while LINE VIPER executes commands and captures data. The campaign, linked to the ArcaneDoor hacking group, targeted end-of-life devices, disabling logging and intercepting commands. Cisco also patched CVE-2025-20363, a critical flaw allowing remote code execution.
2025-09-26 | TechRadar: US Government tells agencies to patch Cisco firewalls immediately, or face attack
CISA has issued Emergency Directive 25-03, urging US government agencies to patch two critical Cisco vulnerabilities (CVE-2025-20333 and CVE-2025-20362) by October 2, 2025, due to active exploitation by the state-sponsored group ArcaneDoor. The vulnerabilities affect Cisco Adaptive Appliances and Firepower firewalls, with CVE-2025-20333 rated critical (9.9/10). Agencies must inventory devices, conduct forensic analysis, and report findings by October 2, 2025, with a patch deadline of October 16, 2025.
2025-09-26 | Palo Alto: Threat Insights: Active Exploitation of Cisco ASA Zero Days
Cisco has reported active exploitation of three zero-day vulnerabilities in its ASA and FTD software by a state-sponsored threat actor, identified as ArcaneDoor. The vulnerabilities, CVE-2025-20333 and CVE-2025-20362, allow arbitrary code execution and unauthorized access, while CVE-2025-20363 is at high risk for imminent exploitation. Cisco has released updates and urged immediate patching. CISA issued Emergency Directive 25-03 for federal agencies due to the significant risk.
2025-09-28 | Help Net Security: Week in review: Cisco ASA zero-day vulnerabilities exploited, Fortra GoAnywhere instances at risk
Cisco ASA zero-day vulnerabilities are being exploited in sophisticated attacks, as reported by cybersecurity agencies from the US, UK, Canada, and Australia. Organizations using Cisco Adaptive Security Appliances are at risk. Additionally, unpatched Fortra GoAnywhere instances are vulnerable to full takeover via CVE-2025-10035. A zero-day vulnerability (CVE-2025-59689) in Libraesva Email Security Gateway has also been exploited by suspected state-sponsored attackers.
2025-09-29 | Cyber Security News: Lesson From Cisco ASA 0-Day RCE Vulnerability That Actively Exploited In The Wild
Cisco disclosed critical zero-day vulnerabilities in its ASA and FTD platforms, notably CVE-2025-20333, a remote code execution flaw with a CVSS score of 9.9, exploited by state-sponsored actors UAT4356. This vulnerability allows authenticated attackers to execute arbitrary code via crafted HTTP requests. When chained with CVE-2025-20362, it enables unauthenticated access. The campaign has prompted emergency directives from CISA and international responses due to the severe implications for network security.
2025-09-30 | Cybersecurity Dive: Cisco firewall flaws endanger nearly 50,000 devices worldwide
Nearly 50,000 Cisco firewall devices are exposed to three recently disclosed vulnerabilities, prompting an emergency patching directive from CISA after the Sept. 25 disclosure. The U.S. has over 19,000 unpatched devices, followed by the U.K. with 2,700. Two critical flaws, CVE-2025-20362 and CVE-2025-20333, are being exploited in cyberattacks against federal agencies, allowing unauthorized access and potential arbitrary code execution. Agencies must confirm mitigation by Thursday.
2025-09-30 | The Register: Warnings about Cisco vulns under active exploit are falling on deaf ears
Nearly 50,000 Cisco ASA/FTD instances are exposed to two actively exploited vulnerabilities: CVE-2025-20333 (9.9) and CVE-2025-20362 (6.5). Most affected devices are in the US. CISA issued a rare 24-hour patching order for federal agencies, citing "unacceptable risk." The vulnerabilities affect specific ASA software versions and 5500-X-series firewalls. Attacks are linked to the ArcaneDoor campaign, deploying malware RayInitiator and Line Viper. Organizations are urged to follow Cisco's recommendations and upgrade outdated systems.
2025-10-01 | Cyber Security News: 48+ Cisco Firewalls Vulnerable to Actively Exploited 0-Day Vulnerability in the Wild
A critical zero-day vulnerability, CVE-2025-20333, affecting over 48,800 Cisco firewalls is actively exploited, with a CVSS score of 9.9. It allows authenticated attackers to execute arbitrary code via the VPN web server. A secondary vulnerability, CVE-2025-20362 (CVSS 6.5), enables unauthorized access to VPN endpoints. Cisco has released emergency patches and recommends immediate application to mitigate risks, emphasizing the need for enhanced threat detection for VPN services.
2025-10-01 | Help Net Security: Too many Cisco ASA firewalls still unsecure despite zero-day attack alerts
Cisco has warned that approximately 48,000 Cisco Adaptive Security Appliances (ASA) remain vulnerable to zero-day exploits (CVE-2025-20333, CVE-2025-20362), despite alerts. Most vulnerable devices are in the US, with others in the UK, Japan, Russia, Germany, and Canada. Attackers have used advanced evasion techniques against government organizations. Cisco advises customers to check for vulnerabilities, replace outdated devices, and reset configurations post-upgrade. Organizations should report any compromises to local cybersecurity agencies.
2025-10-01 | Flashpoint: Flashpoint Weekly Vulnerability Insights and Prioritization Report
Flashpoint's report for the week of September 20-26, 2025, identifies 92 critical vulnerabilities, with five urgent ones highlighted. Key vulnerabilities include CVE-2025-20363 and CVE-2025-20333 in Cisco products, both allowing remote code execution. CVE-2022-4980 in Crypto Application Server permits unauthorized admin access. Chanjet T+ has a flaw enabling remote code execution via file upload. CVE-2025-9900 in LibTIFF involves an out-of-bounds write. Immediate remediation is recommended for all.
2025-10-01 | TechRadar: Around 50,000 Cisco firewalls are vulnerable to attack, so patch now
Around 50,000 Cisco firewalls are vulnerable to remote code execution (RCE) flaws CVE-2025-20333 and CVE-2025-20362, with active exploitation reported. Cisco urges immediate patching for affected ASA and FTD devices, as no workarounds exist. The vulnerabilities have severity scores of 9.9 and 6.5, respectively. The US, UK, and Germany are the most affected, with 19,610, 2,834, and 2,392 exposed instances. CISA has issued an emergency directive urging remediation due to ongoing attacks.
Malicious AI Agent Server Reportedly Steals Emails
Date: 2025-09-25 | Source: Infosecurity Magazine
A Koi Security report reveals that the Postmark MCP Server, a popular Model Context Protocol server for AI agents, has turned malicious in version 1.0.16, released by developer @phanpak. Initially functioning correctly, the server began copying all emails to the developer's personal server. This incident, noted as potentially the first malicious MCP server, affects users who granted email access to the server, which has over 1500 weekly downloads on npm. The report was published on September 25.
Malicious AI Agent Server Reportedly Steals Emails
2025-09-26 | CSO Online: Trust on MCP takes first in-the-wild hit via squatted Postmark connector
A supply-chain attack was reported involving the npm package “postmark-mcp,” which was weaponized to exfiltrate emails from users. This package, masquerading as a legitimate integration for Postmark, has been downloaded 1,500 times weekly. Since version 1.0.16, it has been copying all emails, including sensitive information, to the developer's personal server. The incident highlights vulnerabilities in user trust and the lack of security measures around the AI connector protocol, MCP.
2025-09-26 | CSO Online: Trust in MCP takes first in-the-wild hit via squatted Postmark connector
A supply-chain attack was reported involving a malicious npm package named “postmark-mcp,” which masqueraded as a legitimate connector for integrating Postmark, an email service by ActiveCampaign, into AI applications. Since version 1.0.16, the package has exfiltrated emails, including sensitive information like password resets and internal documents, to the developer's server. The package had 1500 weekly downloads, highlighting vulnerabilities in user trust and security measures around the MCP protocol.
2025-09-26 | Cyber Security News: First-Ever Malicious MCP Server Found in the Wild Steals Emails via AI Agents
A malicious npm package named postmark-mcp was discovered, exfiltrating sensitive emails by adding a Bcc field to outgoing messages. Downloaded 1,500 times weekly, it operated normally until version 1.0.16, which introduced a backdoor. The attack exploited trust in open-source software, affecting 300 organizations and potentially leaking 3,000 to 15,000 emails daily. Users are advised to uninstall versions 1.0.16 and later and rotate any compromised credentials.
2025-09-29 | The Hacker News: First Malicious MCP Server Found Stealing Emails in Rogue Postmark-MCP Package
Cybersecurity researchers identified the first malicious Model Context Protocol (MCP) server in the npm package "postmark-mcp," version 1.0.16, released on September 17, 2025. This rogue package, uploaded by developer "phanpak," copied an official library and secretly forwarded emails to "phan@giftshop[.]club." The package has been removed, but users are advised to uninstall it, rotate exposed credentials, and check email logs for BCC traffic. The incident highlights vulnerabilities in the software supply chain and open-source trust.
2025-09-29 | The Register: One line of malicious npm code led to massive Postmark email heist
A malicious npm package named "postmark-mcp" impersonated Postmark's email service, stealing thousands of emails daily by adding a backdoor in version 1.0.16. Postmark confirmed on September 25 that they were not involved. The package, downloaded approximately 1,500 times weekly, exposed sensitive information, including passwords and financial details. Koi Security highlighted the risks of the MCP ecosystem, emphasizing the ease of compromising npm packages. GitHub plans to enhance security measures in response.
Children's names, pictures and addresses stolen in nursery chain hack
Date: 2025-09-25 | Source: BBC News
Hackers have stolen sensitive information, including names, pictures, and addresses of approximately 8,000 children from the Kido nursery chain, which operates 18 sites in the UK and abroad. The cybercriminals are demanding ransom and claim to possess additional data about parents and carers, as well as safeguarding notes. They have reportedly contacted some parents directly as part of their extortion efforts. Kido has been notified of the breach but has not yet confirmed the hackers' claims.
Children's names, pictures and addresses stolen in nursery chain hack
2025-09-25 | The Register: Callous crims break into preschool network, publish toddlers' data
A cybercriminal group, Radiant Group, has targeted Kido International, a preschool organization, leaking sensitive data of pupils and parents, including images, names, and addresses. This marks the group's first leak on its dark web site. The attack has been described as one of the most aggressive extortion tactics, with implications for the entire ransomware industry. Experts emphasize the need for organizations to enhance data security and condemn the moral depravity of such attacks on vulnerable populations.
2025-09-25 | The Guardian: Hackers reportedly steal pictures of 8,000 children from Kido nursery chain
Hackers have stolen names, pictures, and addresses of approximately 8,000 children from the Kido nursery chain, demanding ransom. They claim to have additional information about parents and carers, contacting some directly. The Metropolitan Police are investigating the ransomware attack, while Kido has not confirmed the breach. Separately, JLR has halted car assembly due to a cyber-attack affecting its computer systems, though some systems have since been restarted.
2025-09-26 | BBC News: Nursery hackers threaten to publish more children's profiles online
Hackers known as Radiant have breached Kido nursery chain, threatening to release more children's profiles unless a ransom is paid. They posted details of 10 children online, including pictures, birth dates, and contact information. The breach occurred through Famly, a software service used by many nurseries. Kido is cooperating with authorities, while parents express concern over the hackers' threatening calls. The Met Police is investigating the incident.
2025-09-26 | NY Times: Hackers Steal Children’s Data and Photos from U.K. Nursery Chain
Hackers have targeted Kido International, a nursery chain in London, demanding ransom to prevent the release of sensitive data, including children's photos and identifying information. The group, identified as "Radiant," has already posted profiles of 10 children on the dark web. The Information Commissioner's Office is assessing the incident and emphasizes the importance of children's safety and privacy while working to understand the full impact and support those affected.
2025-09-26 | Malwarebytes Labs: Hackers threaten parents: Get nursery to pay ransom or we leak your child’s data
A hacking group named "Radiant" claims to have stolen sensitive data of approximately 8,000 children from the nursery chain Kido, including names, photos, addresses, and medical information. They threatened to leak this data unless a ransom is paid, even contacting parents to pressure Kido. The incident is under investigation, and Kido has reached out to parents for reassurance. Recommendations for victims include changing passwords, enabling two-factor authentication, and being cautious of phishing attempts.
2025-09-27 | The Guardian: Kido nursery hackers threaten to publish more children’s profiles
Hackers known as Radiant have breached the UK-based Kido nursery chain, threatening to release sensitive data on thousands of children unless paid. They posted profiles of 10 children online, claiming to possess data on over 8,000 children, including personal details and safeguarding reports. Kido is collaborating with authorities, including the Information Commissioner’s Office, to investigate the breach, which was linked to third-party software Famly. The police advise against paying ransoms to deter further attacks.
Vulnerability in Salesforce AI could be tricked into leaking CRM data
Date: 2025-09-25 | Source: CSO Online
A vulnerability in Salesforce's AI, specifically the Agentforce system, allows attackers to exploit the Web-to-Lead form by embedding malicious text. This can lead to unauthorized data access when an employee interacts with the form. The issue is exacerbated by an expired domain on Salesforce's content security policy whitelist, which can be re-registered to facilitate data exfiltration. This method, termed "Indirect Prompt Injection," combines elements of cross-site scripting and social engineering, posing significant security risks.
Vulnerability in Salesforce AI could be tricked into leaking CRM data
2025-09-25 | Hack Read: ForcedLeak Flaw in Salesforce Agentforce AI Agent Exposed CRM Data
A critical vulnerability named ForcedLeak was found in Salesforce Agentforce, rated CVSS 9.4, allowing remote attackers to steal sensitive CRM data via indirect prompt injection attacks. Exploiting the Web-to-Lead feature, attackers could embed malicious code in input fields, tricking the AI into revealing private information. Salesforce implemented fixes by September 8, 2025, advising users to enforce Trusted URLs and audit lead data. The flaw highlights risks in AI systems within high-value CRM environments.
2025-09-25 | The Hacker News: Salesforce Patches Critical ForcedLeak Bug Exposing CRM Data via AI Prompt Injection
Salesforce has patched a critical vulnerability, dubbed ForcedLeak (CVSS score: 9.4), affecting its Agentforce platform, discovered by Noma Security on July 28, 2025. This flaw allows attackers to exfiltrate sensitive CRM data via indirect prompt injection through the Web-to-Lead functionality. Salesforce has implemented a Trusted URL allowlist to prevent data leakage and recommends users audit lead data, enforce strict input validation, and sanitize untrusted data to mitigate risks.
2025-09-25 | Infosecurity Magazine: Critical Vulnerability in Salesforce AgentForce Exposed
A critical vulnerability, named ForcedLeak, was found in Salesforce's AI-powered AgentForce platform, scoring 9.4 in severity. It allowed attackers to steal sensitive CRM data via indirect prompt injection. Salesforce has patched the issue by enforcing Trusted URLs and securing an expired domain that could be exploited. Recommendations include applying patches, auditing lead data for suspicious submissions, and enforcing strict security measures to mitigate risks associated with AI-driven attacks.
2025-09-25 | Cyber Security News: Salesforce AI Agent Vulnerability Allows Let Attackers Exfiltration Sensitive Data
A critical vulnerability, named ForcedLeak, was discovered in Salesforce's Agentforce AI platform, allowing attackers to exfiltrate sensitive CRM data. The CVSS score is 9.4, and the attack exploited weaknesses like insufficient context validation and a CSP bypass. Malicious instructions were embedded in web form submissions, leading the AI to execute unauthorized commands. Salesforce has deployed patches and recommends customers enforce Trusted URLs, audit lead data, and implement strict input validation.
2025-09-26 | The Register: Prompt injection – and a $5 domain – trick Salesforce Agentforce into leaking sales
A vulnerability in Salesforce's Agentforce, named "ForcedLeak," allowed attackers to exploit prompt injection to access sensitive customer data. Researchers demonstrated this using an expired domain purchased for $5, enabling them to embed malicious instructions in a description field. Salesforce has since patched the flaw and implemented trusted URL allow-lists to prevent such attacks. The vulnerability received a critical severity score of 9.4, emphasizing the need for enhanced AI security measures.
2025-09-27 | Security Affairs: ForcedLeak flaw in Salesforce Agentforce exposes CRM data via Prompt Injection
A critical vulnerability, named ForcedLeak (CVSS 9.4), was discovered in Salesforce Agentforce, allowing attackers to exfiltrate sensitive CRM data via indirect prompt injection. This flaw affects organizations using the Web-to-Lead functionality. Exploiting weaknesses in context validation and an expired CSP allowlist, attackers can craft malicious submissions that execute unauthorized commands. Salesforce has patched the issue as of September 8, 2025, after public disclosure on September 25, 2025.
Critical CVSS 10 Flaw in GoAnywhere File Transfer Threatens 20,000 Systems
Date: 2025-09-25 | Source: Hack Read
A critical vulnerability, CVE-2025-10035, in Fortra’s GoAnywhere Managed File Transfer (MFT) solution poses a severe risk, with a CVSS score of 10.0. This deserialization flaw could allow attackers to execute arbitrary code, compromising sensitive data across over 20,000 exposed systems. Fortra has released patches in versions 7.8.4 and 7.6.3. Organizations are advised to upgrade immediately and restrict access to the Admin Console to mitigate risks.
Critical CVSS 10 Flaw in GoAnywhere File Transfer Threatens 20,000 Systems
2025-09-26 | The Hacker News: Fortra GoAnywhere CVSS 10 Flaw Exploited as 0-Day a Week Before Public Disclosure
A CVSS 10.0 vulnerability, CVE-2025-10035, in Fortra GoAnywhere MFT software has been actively exploited since September 10, 2025, prior to its public disclosure. This deserialization vulnerability allows command injection without authentication. Fortra released versions 7.8.4 and 7.6.3 to address the issue. Exploitation involves creating a backdoor account and executing additional payloads. Users are urged to apply the fixes promptly due to ongoing threats linked to the vulnerability.
2025-09-26 | Cyber Security News: Fortra GoAnywhere Vulnerability Exploited as 0-Day Before Patch
A critical vulnerability (CVE-2025-10035) in Fortra’s GoAnywhere MFT solution, with a CVSS score of 10.0, was exploited as a zero-day before a patch was released. Active exploitation began on September 10, 2025, involving a command injection flaw allowing unauthenticated remote code execution. Fortra released patches on September 15 and 18, but initial advisories did not disclose active attacks. Organizations are urged to patch immediately and secure admin consoles.
2025-09-26 | Cyberscoop: Worries mount over max-severity GoAnywhere defect
A maximum-severity vulnerability, CVE-2025-10035, in Forta's GoAnywhere MFT file-transfer service has raised concerns about active exploitation, with evidence dating back to September 10. Forta has not confirmed exploitation, leading to criticism from researchers who argue that the lack of transparency complicates defense efforts. The vulnerability allows remote code execution via a signed Java object, but the required private key for exploitation remains unaccounted for. Experts emphasize the need for vendors to provide clear information to aid in risk management.
2025-09-26 | The Register: ‘An attacker's playground:’ Crims exploit GoAnywhere perfect-10 bug
Threat actors have exploited a critical vulnerability (CVE-2025-10035) in Fortra's GoAnywhere MFT, first disclosed on September 18, 2025. Researchers from watchTowr reported evidence of attacks dating back to September 10, where attackers achieve remote code execution and create backdoor accounts. With over 20,000 instances still exposed, the risk is significant for organizations, especially those in the Fortune 500. WatchTowr urges Fortra to improve transparency regarding the vulnerability's exploitation status.
2025-09-26 | Security Affairs: Hackers exploit Fortra GoAnywhere flaw before public alert
Hackers exploited the Fortra GoAnywhere MFT flaw CVE-2025-10035 on September 10, 2025, prior to its public disclosure on September 18, 2025. The vulnerability, a critical deserialization issue (CVSS score 10.0), allows command execution on affected systems. Fortra recommends upgrading to versions 7.8.4 or 7.6.3 and restricting public access to the Admin Console. Over 20,000 internet-facing instances were identified, including those in Fortune 500 companies. Rapid7 notes the flaw involves a chain of three vulnerabilities.
2025-09-26 | Help Net Security: Attackers exploited critical Fortra GoAnywhere flaw in zero-day attacks (CVE-2025-10035)
CVE-2025-10035, a critical CVSS 10.0 vulnerability in Fortra GoAnywhere, was exploited in zero-day attacks before its patch on September 15, 2025. Fortra advised users to upgrade to versions 7.8.4 or 7.6.3 to address a deserialization vulnerability. Researchers found evidence of exploitation dating back to September 10, 2025, and identified a backdoor created by attackers. Users are urged to check for indicators of compromise and upgrade to the fixed version immediately.
2025-09-29 | TechRadar: Experts warn a maximum severity GoAnywhere MFT flaw is now being exploited as a zero day
A maximum severity vulnerability, CVE-2025-10035, in GoAnywhere MFT allows critical command injection via the license servlet and is currently being exploited in the wild. WatchTowr Labs reported credible evidence of exploitation dating back to September 10, 2025, prior to Fortra's advisory on September 18, 2025. Users are urged to patch to version 7.8.4 or 7.6.3, or isolate systems. Previous vulnerabilities led to significant breaches by the Cl0p ransomware group.
2025-09-30 | Security Affairs: U.S. CISA adds Adminer, Cisco IOS, Fortra GoAnywhere MFT, Libraesva ESG, and Sudo flaws to its Known Exploited Vulnerabilities catalog
U.S. CISA has added several vulnerabilities to its Known Exploited Vulnerabilities catalog, including CVE-2021-21311 (Adminer), CVE-2025-20352 (Cisco IOS), CVE-2025-10035 (Fortra GoAnywhere MFT), CVE-2025-59689 (Libraesva ESG), and CVE-2025-32463 (Sudo). Notably, CVE-2025-20352 allows remote code execution, while CVE-2025-10035 has been actively exploited. CISA mandates federal agencies to address these vulnerabilities by October 20, 2025, and recommends private organizations do the same.
2025-09-30 | Rapid7: CVE-2025-10035 - Critical unauthenticated RCE in GoAnywhere MFT
On September 18, 2025, Fortra announced CVE-2025-10035, a critical unauthenticated remote code execution vulnerability in GoAnywhere MFT due to unsafe deserialization. Although no public exploit exists, the vulnerability poses a significant threat. Affected versions include GoAnywhere MFT 7.8.4 and above, and 7.6.3 and above for Sustain release. Rapid7 Labs identified it as part of a chain of issues. CISA added it to the list of known exploited vulnerabilities. Urgent updates are recommended.
2025-09-30 | Recorded Future: CISA orders federal gov to patch critical Fortra file transfer bug
CISA has mandated federal civilian agencies to patch CVE-2025-10035, a critical vulnerability in Fortra's GoAnywhere MFT solution, by October 20. The vulnerability, rated 10/10 in severity, may already be exploited, with evidence suggesting active attacks since September 10. Fortra advises customers to secure their Admin Console and has developed a patch. Concerns remain about the lack of transparency regarding the exploitation status. Other vulnerabilities were also added to CISA's Known Exploited Vulnerabilities list.
Empty shelves, empty coffers: Co-op pegs cyber hit at £80m
Date: 2025-09-25 | Source: The Register
The Co-operative Group reported an £80 million profit hit due to a cyberattack in April that caused significant operational disruptions. The breach resulted in the theft of personal details of 6.5 million members, although payment data was not compromised. The attack led to a £206 million loss in revenue and a £32 million operating loss for the first half of 2025. Four suspects linked to the attack were arrested, and investigations by regulators are ongoing. Co-op anticipates a reduction in cyber impact moving forward.
Empty shelves, empty coffers: Co-op pegs cyber hit at £80m
2025-09-25 | Infosecurity Magazine: Co-op Records £206m Revenue Loss Following Cyber-Attack
The Co-op reported a £206m ($277m) revenue loss due to a cyber-attack in April 2025, with overall losses for H1 2025 totaling £80m ($107m). The attack led to system shutdowns to contain the threat. The Scattered Spider hacking group is linked to this incident, which also affected Marks & Spencer and Harrods. M&S reported £300m ($403m) in losses, and Co-op confirmed limited member data exposure. A £20m ($27m) one-off cost was noted, though its relation to the incident is unclear.
2025-09-25 | Recorded Future: Cyberattack on British retailer Co-op shaved about $275 million from revenues, company says
The Co-op retail chain suffered a £206 million ($274 million) revenue loss due to a cyberattack in April, which resulted in empty shelves and customer data theft. The attack affected its food business significantly, leading to reduced stock availability. Four individuals were arrested in connection with the incident, linked to the Scattered Spider group. Co-op managed to prevent ransomware by disconnecting networks, but all 6.5 million members had their data compromised, resulting in a total profit loss of £80 million ($106.7 million).
2025-09-26 | CSO Online: Cyberangriff: Britischer Co-op-Gruppe entgeht Millionengewinn
Eine Cyberattacke im April 2025 hat die britische Co-op-Gruppe getroffen, was zu einem geschätzten Verlust von etwa 120 Millionen Pfund führte. Cyberkriminelle stahlen die Daten von rund 6,5 Millionen Mitgliedern. Teile der IT-Systeme wurden als Sicherheitsmaßnahme heruntergefahren, was den Betrieb störte. Der Angreifer ist unbekannt. Co-op ist nicht allein; auch Jaguar Land Rover, Marks and Spencer und die British Library erlitten in den letzten Monaten erhebliche Cyberangriffe.
Malicious SVGs in Phishing Campaigns: How to Detect Hidden Redirects and Payloads
Date: 2025-09-24 | Source: Cyber Security News
A phishing campaign utilizing malicious SVG files disguised as PDFs has been identified, with attacks scaling by mid-September using Microsoft-themed lures. The SVG files execute embedded JavaScript to decode and redirect users through multiple domains, ultimately landing on a fake Microsoft credential page. This method employs social engineering tactics, including a "protected document" prompt. ANY.RUN's sandbox reveals the attack chain, enabling rapid detection and integration of findings into security platforms, enhancing response times significantly.
Malicious SVGs in Phishing Campaigns: How to Detect Hidden Redirects and Payloads
2025-09-25 | Help Net Security: Microsoft spots LLM-obfuscated phishing attack
Cybercriminals are leveraging AI and large language models (LLMs) to enhance phishing attacks, as observed by Microsoft Threat Intelligence. A recent campaign involved a compromised email account sending an SVG file disguised as a PDF. This file contained hidden malicious code encoded with business-related terms, redirecting victims to credential-harvesting pages. Microsoft’s Security Copilot identified LLM-generated traits in the code, suggesting that AI obfuscation could introduce detectable artifacts, aiding in threat detection.
2025-09-25 | Malwarebytes Labs: New SVG-based phishing campaign is a recipe for disaster
A new SVG-based phishing campaign utilizes obfuscated code within SVG files to redirect users to a phishing site. The malicious SVG, RECElPT.SVG, disguises its intent with food-related names and embeds the target's email address. The phishing domain, a potential typosquat of devconptyltd.com.au, has several associated subdomains. Recommendations for protection include treating SVG files cautiously, verifying website addresses, using password managers, and employing real-time anti-malware solutions.
2025-09-26 | Cyber Security News: Hackers Leverage AI-Generated Code to Obfuscate Its Payload and Evade Traditional Defenses
Cybercriminals are using AI-generated code in a sophisticated phishing campaign targeting US organizations. This approach obfuscates malicious payloads within seemingly legitimate business documents, deviating from traditional encryption methods. Attackers leveraged compromised email accounts to distribute phishing messages disguised as file-sharing notifications. The primary attack vehicle was an SVG file, appearing as a PDF, which embedded JavaScript to execute malicious functions while using business terminology to mislead users.
2025-09-26 | TechRadar: Watch out - hackers are using AI to make phishing emails even more convincing
Hackers are leveraging AI to enhance phishing tactics by embedding malicious code in SVG files disguised as business charts. Microsoft reported a campaign where attackers used a compromised email to send SVG files that appeared as PDFs, concealing harmful JavaScript. The obfuscation method involved using business terminology to mask the malicious intent, allowing the code to execute actions like redirecting users to phishing sites and collecting data. Microsoft attributes the complexity of the code to AI-generated techniques.
2025-09-29 | The Hacker News: Microsoft Flags AI-Driven Phishing: LLM-Crafted SVG Files Outsmart Email Security
Microsoft reported a phishing campaign targeting U.S. organizations, utilizing AI-generated SVG files to evade security measures. Detected on August 28, 2025, attackers used compromised email accounts to send messages disguised as file-sharing notifications. The SVG files, capable of embedding JavaScript, redirect users to fake login pages after a CAPTCHA. The obfuscation employed business terminology to mislead inspections, indicating AI involvement. Microsoft noted the campaign's limited scope but warned of similar tactics being adopted by various threat actors.
2025-09-29 | Infosecurity Magazine: AI-Generated Code Used in Phishing Campaign Blocked by Microsoft
A credential phishing campaign using AI-generated code was blocked by Microsoft on August 18, targeting US organizations. Attackers sent emails with an SVG file disguised as a PDF, redirecting recipients to a fake CAPTCHA page. The obfuscated code, likely generated by a large language model, used business language to conceal malicious instructions. Microsoft Defender detected anomalies, leading to the campaign's shutdown. Recommendations include using Safe Links, enabling Zero-hour Auto Purge, and adopting phishing-resistant authentication.
2025-09-30 | Hack Read: Microsoft Flags AI Phishing Attack Hiding in SVG Files
On August 18, Microsoft detected and blocked a sophisticated AI-driven phishing campaign targeting US organizations. Attackers used a compromised email to send a fraudulent SVG file disguised as a PDF, embedding malicious code that redirected users to a fake sign-in page. Microsoft’s AI tool, Security Copilot, identified the complex code as likely generated by AI. Microsoft Defender for Office 365 successfully blocked the attack, highlighting the need for security teams to adapt to evolving AI-assisted threats.
2025-09-30 | TechRadar: Microsoft blocks phishing scam which used AI-generated code to trick users
Microsoft recently blocked a phishing campaign that utilized AI-generated code to conceal its malicious payload within an SVG file disguised as a PDF. The attackers used a compromised small business email account to send messages with targets hidden in BCC fields. The SVG contained hidden elements mimicking a business dashboard, redirecting users to a fake sign-in page after displaying a CAPTCHA. Security Copilot identified AI traits in the code, indicating it was likely generated by AI, highlighting the evolving tactics of cyber attackers.
Cisco IOS 0-Day RCE Vulnerability Actively Exploited in the Wild
Date: 2025-09-24 | Source: Cyber Security News
Cisco disclosed a zero-day vulnerability, CVE-2025-20352, in IOS and IOS XE software, actively exploited in the wild. The flaw in the SNMP subsystem allows remote code execution (RCE) or denial-of-service (DoS). Affected devices include Meraki MS390 and Catalyst 9300 Series Switches. Cisco recommends upgrading to fixed releases (17.15.4a) and provides a mitigation technique for those unable to update. Strong credential management is essential to prevent exploitation. No workarounds are available.
Cisco IOS 0-Day RCE Vulnerability Actively Exploited in the Wild
2025-09-25 | The Hacker News: Cisco Warns of Actively Exploited SNMP Vulnerability Allowing RCE or DoS in IOS Software
Cisco has identified a high-severity vulnerability (CVE-2025-20352, CVSS 7.7) in IOS and IOS XE Software, allowing remote code execution (RCE) or denial-of-service (DoS) attacks. Exploitation requires specific SNMP credentials. The flaw, stemming from a stack overflow in the SNMP subsystem, affects all SNMP versions and specific Cisco devices. No workarounds exist; mitigation includes restricting SNMP access and monitoring with the "show snmp host" command. The issue is resolved in Cisco IOS XE 17.15.4a.
2025-09-25 | Security Affairs: Cisco fixed actively exploited zero-day in Cisco IOS and IOS XE software
Cisco addressed a high-severity zero-day vulnerability, CVE-2025-20352, in Cisco IOS and IOS XE Software, actively exploited in the wild. The flaw in the SNMP subsystem allows remote authenticated attackers to trigger a DoS condition or execute root code. Attackers need specific SNMP credentials to exploit the vulnerability. Cisco advises upgrading to fixed software and temporarily restricting SNMP access to trusted users, as no workarounds are available.
2025-09-25 | Help Net Security: Cisco fixes IOS/IOS XE zero-day exploited by attackers (CVE-2025-20352)
Cisco has addressed 14 vulnerabilities in IOS and IOS XE software, including CVE-2025-20352, a high-severity stack overflow vulnerability in the SNMP subsystem. Exploitation can lead to a denial-of-service condition or arbitrary code execution with root access. Attackers need specific SNMP credentials for successful exploitation. Affected devices include older Catalyst switches and various routers. Cisco recommends using the Software Checker for updates and suggests limiting SNMP access to trusted users as a temporary mitigation.
2025-09-25 | The Register: Zero-day deja vu as another Cisco IOS bug comes under attack
Cisco has confirmed a new high-severity zero-day vulnerability in IOS and IOS XE, tracked as CVE-2025-20352, affecting the SNMP subsystem. Exploitation allows attackers with low-privilege SNMP credentials to crash devices, while those with higher privileges can execute arbitrary code. Cisco's PSIRT reported successful exploitation in the wild after local Administrator credentials were compromised. The only mitigation is to upgrade to a fixed software release, as no workarounds are available.
2025-09-25 | Ars Technica: As many as 2 million Cisco devices affected by actively exploited 0-day
As many as 2 million Cisco devices are vulnerable to a zero-day exploit, tracked as CVE-2025-20352, which can remotely crash systems or execute code. This affects all supported versions of Cisco IOS and IOS XE, with a severity rating of 7.7. Exploitation requires low-privileged access for denial-of-service or higher privileges for remote code execution. Cisco advises upgrading to a fixed software release to mitigate the risk. The vulnerability stems from a stack overflow in the SNMP handling component.
2025-09-25 | TechRadar: Cisco warns zero-day vulnerability exploited in attacks on IOS software
Cisco has patched CVE-2025-20352, a high-severity SNMP vulnerability in IOS and IOS XE Software, actively exploited in the wild. The flaw allows attackers to cause DoS or gain root access using crafted SNMP packets and valid credentials. Affected devices include Meraki MS390 and Cisco Catalyst 9300 Series Switches. No workarounds exist; users must apply the patch immediately. The vulnerability has a severity score of 7.7/10, and exploitation has been confirmed in the wild.
2025-09-25 | Cyberscoop: Cisco uncovers new SNMP vulnerability used in attacks on IOS devices
Cisco has issued security updates for a critical vulnerability (CVE-2025-20352) in its IOS and IOS XE systems, exploited in active attacks. The SNMP flaw allows low-privileged attackers to cause denial of service and higher-privileged ones to execute arbitrary code. Affected devices include those with SNMP enabled, such as Meraki MS390 and Catalyst 9300. No workarounds exist beyond updates, and organizations are advised to limit SNMP access temporarily. The update also addressed 13 other vulnerabilities, including significant ones related to cross-site scripting and denial of service.
PSF Warns of Fake PyPI Login Site Stealing User Credentials
Date: 2025-09-24 | Source: Hack Read
The Python Software Foundation (PSF) warns of a phishing campaign targeting PyPI users, involving fake emails and a spoofed login site at pypi-mirror.org. Users are urged to verify account details or face suspension. Those who entered credentials should change their passwords and check account activity. PSF is working to remove malicious domains and strengthen two-factor authentication. Experts recommend using hardware keys and password managers to mitigate risks, emphasizing the importance of cautious email practices.
PSF Warns of Fake PyPI Login Site Stealing User Credentials
2025-09-24 | The Register: New string of phishing attacks targets Python developers
The Python Software Foundation has issued a warning about phishing attacks targeting Python developers through a fake PyPI website, pypi-mirror.org. Users are urged to change their passwords immediately if they provided credentials. The phishing emails claim account verification is needed to avoid suspension. This attack poses a significant supply chain risk, as compromised accounts could lead to malware injection in Python packages. The campaign follows a similar attack in July and highlights the dangers of open-source software distribution.
2025-09-25 | TechRadar: Python developers targeted with new password-stealing phishing attacks - here's how to stay safe
Phishing attacks targeting Python developers are ongoing, with the PyPI foundation warning users about fake domains like pypi-mirror.org. Victims receive urgent emails asking to verify accounts, threatening closure if ignored. Users are advised to adopt phishing-resistant 2FA and domain-aware password managers. If credentials have been compromised, immediate password changes and monitoring of account activity are recommended. Report suspicious activities to security@pypi.org.
2025-09-26 | Cyber Security News: New Phishing Attack Targeting PyPI Maintainers to Steal Login Credentials
A phishing campaign targeting Python Package Index (PyPI) maintainers has emerged, using domain confusion tactics to steal login credentials. Fraudulent emails mimic official PyPI communications, urging users to verify their email for account security. The emails direct users to the malicious domain pypi-mirror.org, which closely resembles the legitimate PyPI site. This attack exploits trust in official communications and employs sophisticated domain spoofing techniques. PyPI security teams are working to mitigate the threat through takedown efforts.
China-linked groups are using stealthy malware to hack software suppliers
Date: 2025-09-24 | Source: Cybersecurity Dive
Highly sophisticated hackers linked to the Chinese government, primarily the group UNC5221, are targeting technology and legal firms using stealthy malware, including a backdoor called Brickstorm. This malware evades detection on systems like VMware ESXi, leading to an average dwell time of 393 days before discovery. Google is releasing tools to help organizations detect Brickstorm. The attackers exploit vulnerabilities in perimeter infrastructure, including Ivanti Connect Secure VPNs, with long-term impacts expected from these breaches.
China-linked groups are using stealthy malware to hack software suppliers
2025-09-24 | Cyberscoop: Brickstorm malware powering ‘next-level’ Chinese cyberespionage campaign
Ambitious Chinese hackers, dubbed Brickstorm, are conducting a sophisticated cyberespionage campaign targeting U.S. legal services and tech companies, aiming to steal intellectual property and uncover zero-day vulnerabilities. The campaign has an average dwell time of 400 days, utilizing stealthy techniques that complicate detection. Mandiant and Google Threat Intelligence Group have developed a scanning tool to help organizations identify potential compromises. The hackers are also known for cleaning up traces of their activity.
2025-09-24 | Google Cloud: Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors
The BRICKSTORM threat actor employs advanced techniques for persistence and stealth, primarily targeting tech and legal sectors. Initial access often involves exploiting zero-day vulnerabilities, with a focus on perimeter and remote access infrastructure. The BRICKSTORM backdoor, written in Go, is deployed on various appliances, notably VMware vCenter and ESXi hosts. The actor uses a malicious Java Servlet filter, BRICKSTEAL, to capture credentials, emphasizing the need for multi-factor authentication to mitigate risks.
2025-09-24 | The Register: Google warns China-linked spies lurking in 'numerous' enterprises
Unknown intruders, likely linked to China, have breached numerous enterprise networks since March, deploying backdoors for long-term data theft, remaining undetected for an average of 393 days. Google attributes these attacks to UNC5221, exploiting Ivanti zero-days, including CVE-2023-46805. The primary backdoor, BRICKSTORM, targets VMware systems and employs stealth techniques. Mandiant has released a scanner to detect BRICKSTORM activity and recommends a TTP-based approach for hunting these threats.
2025-09-24 | The Hacker News: UNC5221 Uses BRICKSTORM Backdoor to Infiltrate U.S. Legal and Technology Sectors
A suspected China-nexus cyber espionage group, UNC5221, is using the BRICKSTORM backdoor to infiltrate U.S. legal and technology sectors, targeting SaaS providers to access customer data. The backdoor exploits Ivanti Connect Secure vulnerabilities (CVE-2023-46805, CVE-2024-21887) and maintains stealthy access for over 393 days. It employs advanced evasion techniques, including a malicious Java Servlet filter for credential theft. Google has released a scanner to help organizations detect BRICKSTORM activity.
2025-09-24 | Recorded Future: China-linked hackers use ‘BRICKSTORM’ backdoor to steal IP
Alleged Chinese government hackers, identified as UNC5221, are using a sophisticated backdoor named BRICKSTORM to infiltrate organizations, particularly targeting U.S. law firms for sensitive data related to national security. Mandiant reported numerous intrusions since March 2025, with the backdoor primarily found on Linux appliances lacking endpoint detection. The hackers exploited a zero-day vulnerability in Ivanti devices and demonstrated advanced evasion techniques, maintaining long-term access to victim systems.
2025-09-25 | CSO Online: Chinese spies had year-long access to US tech and legal firms
Chinese threat actors maintained year-long access to US tech and legal firms by deploying a custom Linux backdoor on compromised network edge devices. These backdoors went undetected for an average of 393 days, facilitating lateral movement to VMware vCenter, ESXi hosts, Windows workstations, servers, and Microsoft 365 mailboxes. Researchers from Mandiant and Google’s Threat Intelligence Group noted that the compromised targets could provide valuable data for developing zero-days and broader access to downstream victims.
2025-09-25 | Hack Read: China-Linked Hackers Hit US Tech Firms with BRICKSTORM Malware
A China-linked hacking group, tracked as UNC5221, is conducting a long-term espionage campaign against US tech firms using BRICKSTORM malware. This custom Go-language malware targets Linux and BSD systems, exploiting zero-day vulnerabilities to access high-value systems like VMware vCenter. The attackers aim to steal sensitive information, particularly from SaaS providers and their clients. Mandiant recommends enhanced cybersecurity measures and has released a scanner script for detecting BRICKSTORM on Linux systems.
2025-09-25 | Infosecurity Magazine: Chinese Hackers Use 'BRICKSTORM' Backdoor to Breach US Firms
Chinese hackers are using the 'BRICKSTORM' backdoor to breach US legal and tech firms, SaaS providers, and outsourcing companies since at least March 2025. The Google Threat Intelligence Group reports that UNC5221, a Chinese-aligned threat cluster, exploits zero-day vulnerabilities and targets email accounts of key individuals. BRICKSTORM, a Go backdoor, operates on VMware vCenter servers, utilizing WebSockets for C2 communication. Google has released a scanner script to detect this backdoor on affected systems.
2025-09-25 | DIGIT: Google Warns of China-linked Cyber-attacks Targeting Tech
Hackers linked to the Chinese government, identified as UNC5221, are targeting tech companies and legal firms using BRICKSTORM malware to extract intellectual property. Google’s Mandiant reported tracking these intrusions since March, noting an average dwell time of 393 days. The malware exploits systems lacking traditional security tools, enabling credential theft and data exfiltration. Mandiant released a scanner script to help organizations detect BRICKSTORM activity, emphasizing the potential for both active and historic compromises.
2025-09-25 | TechRadar: Under the radar - Google warns new Brickstorm malware was stealing data from US firms for over a year
Google's Threat Intelligence Group warns that the UNC5221 group has been using Brickstorm malware to target US legal, tech, and SaaS firms for over a year, leading to significant data loss. The malware exploits zero-day vulnerabilities in overlooked devices, allowing stealthy lateral movement and data exfiltration. Mandiant recommends TTP-based threat hunting, updating asset inventories, monitoring traffic, and enforcing multi-factor authentication to mitigate risks associated with this campaign.
2025-09-26 | Security Affairs: Google warns of Brickstorm backdoor targeting U.S. legal and tech sectors
Google warns that China-linked actors are using the Brickstorm backdoor to target U.S. legal and tech sectors, stealing data undetected for over a year. The malware, first detailed in April 2024, exploits zero-day vulnerabilities and enables lateral movement within networks. Recent attacks involved intercepting credentials via a Java Servlet filter and exfiltrating emails through Microsoft Entra ID apps. Mandiant has released a scanner script to help organizations detect Brickstorm activity.
Vegas Gambling Giant Hit by Cyber Incident, Employee Data Exposed
Date: 2025-09-24 | Source: Infosecurity Magazine
Boyd Gaming Corporation reported a cybersecurity incident on September 23, 2023, affecting employee data after an unauthorized third party accessed its IT systems. The company is notifying impacted individuals and regulators but has not disclosed the nature or number of affected individuals. Boyd has engaged cybersecurity experts and federal law enforcement for remediation. The incident is not expected to materially affect the company's financial condition, and it has comprehensive cybersecurity insurance to cover related costs.
Vegas Gambling Giant Hit by Cyber Incident, Employee Data Exposed
2025-09-24 | Recorded Future: Casino company Boyd Gaming hacked, employee data stolen
Boyd Gaming reported a cyberattack that resulted in the theft of employee data from its internal IT system. The company informed the SEC via an 8-K form, stating the incident did not affect its operations or properties. The timing of the attack and whether it involved ransomware remain unclear. Federal law enforcement is assisting in recovery efforts. Boyd Gaming is notifying affected individuals and state regulators, with costs expected to be covered by cyber insurance.
2025-09-24 | The Register: Cybercriminals cash out with casino giant's employee data
Boyd Gaming disclosed a cyberattack affecting employee and other personal data, warning US regulators of potential data theft. The breach's timing and responsible parties remain unconfirmed. The compromised data includes information on employees and a limited number of other individuals, though specifics are not provided. Boyd Gaming stated that cleanup costs will not materially impact its finances due to a comprehensive cybersecurity insurance policy. The company operates 27 sites and employs around 16,000 people.
2025-09-24 | TechRadar: Casino gaming giant hit by major cyberattack - employee information and more stolen, here's what we know
Boyd Gaming Corporation experienced a cyberattack that compromised sensitive employee data and information on other individuals. The company filed an 8-K form with the SEC, stating that unauthorized third parties accessed its IT system. While business operations remained unaffected, the nature and extent of the stolen data are unclear. Boyd is notifying impacted individuals and expects its cybersecurity insurance to cover investigation and legal costs. The incident is not anticipated to materially impact its financial condition.
CISA Details That Hackers Gained Access to a U.S. Federal Agency Network Via GeoServer RCE Vulnerability
Date: 2025-09-24 | Source: Cyber Security News
CISA reported that hackers exploited CVE-2024-36401, a critical RCE vulnerability in GeoServer, to breach a U.S. federal agency's network on July 11, 2024. The attack, undetected for three weeks, involved extensive reconnaissance and lateral movement across systems. Key findings include inadequate vulnerability management and incident response. The advisory stresses the importance of immediate remediation of known vulnerabilities and continuous monitoring of EDR alerts. CVSS score: 9.8 (Critical).
CISA Details That Hackers Gained Access to a U.S. Federal Agency Network Via GeoServer RCE Vulnerability
2025-09-24 | Infosecurity Magazine: Federal Agency Compromised Via GeoServer Exploit, CISA Reveals
A federal agency was compromised on July 11, 2024, due to exploitation of CVE 2024-36401 in a public-facing GeoServer, as reported by CISA on September 23. The attackers used the vulnerability for lateral movement, accessing multiple servers and uploading web shells. Failures in vulnerability remediation, incident response, and EDR log reviews contributed to the breach. CISA emphasized the need for improved patching processes and recommended applying lessons learned to enhance security posture.
2025-09-24 | Security Affairs: How threat actors breached a U.S. federal civilian agency by exploiting a GeoServer flaw
Threat actors exploited an unpatched vulnerability in GeoServer (CVE-2024-36401, CVSS 9.8) to breach a U.S. federal civilian agency's network on July 11, 2024. CISA initiated incident response after EDR alerts detected malicious activity. Attackers accessed multiple GeoServers, deployed web shells, and used techniques to evade detection. The breach remained undetected for three weeks, revealing issues with vulnerability remediation and incident response protocols.
2025-09-24 | TechRadar: US federal agency breached by hackers using GeoServer exploit, CISA says
In July 2024, a US federal agency was breached by attackers exploiting a critical RCE vulnerability in GeoServer (CVE-2024-36401, CVSS 9.8). The attackers used the China Chopper web shell for remote access and lateral movement, compromising multiple systems. The vulnerability was disclosed on June 30 and added to CISA's KEV catalog by July 15. CISA emphasized the importance of timely patching, incident response plans, and continuous alert monitoring to mitigate such risks.
Two New Supermicro BMC Bugs Allow Malicious Firmware to Evade Root of Trust Security
Date: 2025-09-23 | Source: The Hacker News
Two medium-severity vulnerabilities in Supermicro Baseboard Management Controller (BMC) firmware, CVE-2025-7937 and CVE-2025-6198, allow attackers to bypass firmware verification and install malicious images. CVE-2025-7937 exploits a flaw in the "fwmap" table, while CVE-2025-6198 manipulates the signing table. Both vulnerabilities compromise the Root of Trust (RoT) security feature. Binarly recommends rotating signing keys to mitigate risks associated with key reuse, which could lead to widespread impacts.
Two New Supermicro BMC Bugs Allow Malicious Firmware to Evade Root of Trust Security
2025-09-24 | Ars Technica: Supermicro server motherboards can be infected with unremovable malware
Supermicro server motherboards have critical vulnerabilities (CVE-2024-10237, CVE-2025-7937, CVE-2025-6198) allowing remote installation of malicious firmware, undetectable without special protections. An incomplete patch from January failed to fully address CVE-2024-10237. These vulnerabilities can enable persistent malware similar to ILObleed, affecting AI data centers and allowing attackers to maintain control even after OS reinstalls or hardware changes.
2025-09-25 | Cyber Security News: BMC Firmware Vulnerabilities Allow Attackers to Bypass Signature Verification Features
Critical vulnerabilities in Supermicro BMC firmware allow attackers to bypass signature verification, compromising server security. The flaws, linked to CVE-2024-10237 and CVE-2025-7937, stem from inadequate patches and design weaknesses in firmware validation. Attackers can upload malicious firmware and manipulate validation processes, gaining persistent control over BMC systems and main operating systems. The vulnerabilities exploit weaknesses in the firmware's three-step validation, undermining fundamental hardware security assumptions in enterprise environments.
2025-09-25 | TechRadar: Experts warn Supermicro motherboards can be infected with "unremovable" new malware - here's what we know
Security experts from Binarly have identified critical vulnerabilities in Supermicro's Baseboard Management Controller (BMC) firmware, allowing for the installation of persistent, unremovable malware. The flaws, CVE-2025-7937 and CVE-2025-6198, enable attackers to bypass previous patches and exploit firmware validation inconsistencies. Researchers recommend implementing hardware-backed Root of Trust and stricter integrity checks to mitigate these risks, as the vulnerabilities can grant full control over affected systems.
2025-09-25 | CSO Online: New Supermicro BMC vulnerabilities open servers to malicious attacks on firmware
Two new vulnerabilities in Supermicro's baseband management controller (BMC) firmware have been disclosed, revealing significant security weaknesses. These flaws could allow attackers to hijack the firmware, granting them control over the server and enabling persistence below the operating system and standard security measures. Supermicro, a prominent server motherboard manufacturer, faces potential risks to data center operations due to these vulnerabilities. Recommendations for mitigation have not been specified in the article.
OnePlus leaves researchers on read over Android bug that exposes texts
Date: 2025-09-23 | Source: The Register
A critical vulnerability (CVE-2025-10184) in OnePlus smartphones allows unauthorized apps to access SMS and MMS data without user interaction, affecting multiple OxygenOS versions since December 2021. Rapid7 reported that the flaw, stemming from SQL injection vulnerabilities in internal content providers, could bypass SMS-based MFA protections. Despite multiple attempts to notify OnePlus since May, the company has not responded. Users are advised to install apps from trusted sources and switch to authenticator apps for MFA.
OnePlus leaves researchers on read over Android bug that exposes texts
2025-09-24 | Cyber Security News: OnePlus OxygenOS Vulnerability Allows Any App to Read SMS Data Without Permission
A severe vulnerability (CVE-2025-10184) in OnePlus OxygenOS allows any app to read SMS and MMS messages without permission, affecting devices running OxygenOS 12-15, including OnePlus 8T and 10 Pro. The flaw arises from improperly secured content providers, enabling SQL injection attacks to extract message data. This compromises SMS-based MFA systems. Users are advised to remove non-essential apps and switch to authenticator apps until OnePlus releases patches. CVSS score: 7.8 (High).
2025-09-24 | Rapid7: CVE-2025-10184: OnePlus OxygenOS Telephony provider permission bypass (NOT FIXED)
CVE-2025-10184 is a permission bypass vulnerability in OnePlus OxygenOS affecting multiple Android smartphones, allowing unauthorized apps to access SMS/MMS data without user consent. Rapid7 disclosed the issue, which impacts devices running OxygenOS 12 and later. The vulnerability could undermine SMS-based MFA security. OnePlus acknowledged the issue on Sept 24, 2025, and is investigating. Users are advised to limit app installations and switch to authenticator apps for MFA. No patch is available yet.
2025-09-25 | TechRadar: OnePlus phone flaw could let devices send out unwanted text messages - so take care who you ping
A vulnerability identified as CVE-2025-10184 affects OxygenOS versions 12 to 15 on OnePlus devices, allowing attackers to read and send SMS messages, including 2FA codes. Discovered by Rapid7, the flaw impacts multiple devices and has been unaddressed by OnePlus since its detection in May 2025. Users are advised to minimize app installations, avoid SMS-based 2FA, and switch to alternative messaging apps. The vulnerability has a severity score of 8.2/10.
Bluesky X Buy Me a Coffee RSS Feed